Dear Teneo Customer,
Palo Alto Networks have recently issued a Security Advisory to address certain vulnerabilities in its products.
An evasion was identified whereby a user could specially craft an HTTP header to evade URL filtering on Palo Alto Networks firewalls. (Ref #93838)
The HTTP header evasion technique can be used by a malicious insider to bypass URL filtering policy. It is not a product vulnerability that affects the security or integrity of the firewall itself. Most legitimate web servers will not accept such incoming packets. The evasion is only possible if the destination web server does not perform basic checks on the request. Note that this evasion cannot be used to attack and penetrate a network from the outside. It can only be used by a malicious insider to evade URL filtering from the inside of the protected network.
PAN-OS releases 5.0.X, 6.0.X, 6.1.X, 7.0.X and 7.1.0
PAN-OS releases 7.1.1 and newer.
Customers concerned with this evasion technique are advised to upgrade to PAN-OS 7.1.1 and to enable threat signatures #14984 and #14978. The use of the DNS proxy feature is also recommended for improved accuracy.
More details can be found at https://live.paloaltonetworks.com/t5/Service-Announcements/Information-regarding-TLS-HTTP-header-evasion/ta-p/76562
Workarounds and Mitigations
Customers concerned with this evasion that do not deploy the solution available in PAN-OS 7.1.1 are advised to take the following actions to help mitigate the potential impact of malicious insiders or compromised hosts that may choose to use this evasion technique:
(1) Enable SSL certificate checking even for non-decrypted traffic and enforce certificates issued by trusted CAs only.
(2) Make sure antivirus, vulnerability, and anti-spyware profiles are applied to all allowed web traffic. Ensure that content packages containing antivirus, vulnerability and anti-spyware protections are up-to-date and configured to update frequently.
Matthew Pozun - Senior Engineer – Information Security, Verisign. Stas Volfus , Bugsec
What if I need help?
If you have any questions regarding this notification please don’t hesitate to reach out to us, or visit our support portal.
You can contact us on our 24 x 7 support number or mail us firstname.lastname@example.org
EMEA: +44 (0)845 299 0623
US: +1 877 836 3610
APAC: +61 1800 765 389