PAN-SA-2016-0006 HTTP Header Evasion
An evasion was identified whereby a user could specially craft an HTTP header to evade URL filtering on Palo Alto Networks firewalls. (Ref #93838)
The HTTP header evasion technique can be used by a malicious insider to bypass URL filtering policy. It is not a product vulnerability that affects the security or integrity of the firewall itself. Most legitimate web servers will not accept such incoming packets. The evasion is only possible if the destination web server does not perform basic checks on the request. Note that this evasion cannot be used to attack and penetrate a network from the outside. It can only be used by a malicious insider to evade URL filtering from the inside of the protected network.
This issue affects PAN-OS releases 5.0.X; 6.0.X; 6.1.X; 7.0.X and 7.1.0
|PAN-OS 7.1||7.1.0||>= 7.1.1|
CVSSv3.1 Base Score:4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
PAN-OS releases 7.1.1 and newer. Customers concerned with this evasion technique are advised to upgrade to PAN-OS 7.1.1 and to enable threat signatures #14984 and #14978. The use of the DNS proxy feature is also recommended for improved accuracy. More details can be found at https://live.paloaltonetworks.com/t5/Notices-and-Service/Information-regarding-TLS-HTTP-header-evasion/ta-p/76562
Workarounds and Mitigations
Customers concerned with this evasion that do not deploy the solution available in PAN-OS 7.1.1 are advised to take the following actions to help mitigate the potential impact of malicious insiders or compromised hosts that may choose to use this evasion technique: (1) Enable SSL certificate checking even for non-decrypted traffic and enforce certificates issued by trusted CAs only. (2) Make sure antivirus, vulnerability, and anti-spyware profiles are applied to all allowed web traffic. (3) Ensure that content packages containing antivirus, vulnerability and anti-spyware protections are up-to-date and configured to update frequently.