Palo Alto Networks Security Advisories / PAN-SA-2016-0006

PAN-SA-2016-0006 HTTP Header Evasion

047910
Severity 4.6 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

Description

An evasion was identified whereby a user could specially craft an HTTP header to evade URL filtering on Palo Alto Networks firewalls. (Ref #93838)

The HTTP header evasion technique can be used by a malicious insider to bypass URL filtering policy. It is not a product vulnerability that affects the security or integrity of the firewall itself. Most legitimate web servers will not accept such incoming packets. The evasion is only possible if the destination web server does not perform basic checks on the request. Note that this evasion cannot be used to attack and penetrate a network from the outside. It can only be used by a malicious insider to evade URL filtering from the inside of the protected network.

This issue affects PAN-OS releases 5.0.X; 6.0.X; 6.1.X; 7.0.X and 7.1.0

Product Status

VersionsAffectedUnaffected
PAN-OS 7.17.1.0>= 7.1.1
PAN-OS 7.07.0.*
PAN-OS 6.06.0.*
PAN-OS 5.05.0.*

Severity: MEDIUM

CVSSv3.1 Base Score: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Weakness Type

Solution

PAN-OS releases 7.1.1 and newer. Customers concerned with this evasion technique are advised to upgrade to PAN-OS 7.1.1 and to enable threat signatures #14984 and #14978. The use of the DNS proxy feature is also recommended for improved accuracy. More details can be found at https://live.paloaltonetworks.com/t5/Notices-and-Service/Information-regarding-TLS-HTTP-header-evasion/ta-p/76562

Workarounds and Mitigations

Customers concerned with this evasion that do not deploy the solution available in PAN-OS 7.1.1 are advised to take the following actions to help mitigate the potential impact of malicious insiders or compromised hosts that may choose to use this evasion technique: (1) Enable SSL certificate checking even for non-decrypted traffic and enforce certificates issued by trusted CAs only. (2) Make sure antivirus, vulnerability, and anti-spyware profiles are applied to all allowed web traffic. (3) Ensure that content packages containing antivirus, vulnerability and anti-spyware protections are up-to-date and configured to update frequently.

Acknowledgments

Matthew Pozun - Senior Engineer – Information Security, Verisign. Stas Volfus, Bugsec
© 2020 Palo Alto Networks, Inc. All rights reserved.