Skip to main content

Palo Alto Networks Security Advisory (PAN-SA-2016-0006) - HTTP Header Evasion

Dominique Watson

Dear Teneo Customer,

Palo Alto Networks have recently issued a Security Advisory to address certain vulnerabilities in its products.

Summary

An evasion was identified whereby a user could specially craft an HTTP header to evade URL filtering on Palo Alto Networks firewalls. (Ref #93838)

Severity: Medium

The HTTP header evasion technique can be used by a malicious insider to bypass URL filtering policy. It is not a product vulnerability that affects the security or integrity of the firewall itself. Most legitimate web servers will not accept such incoming packets. The evasion is only possible if the destination web server does not perform basic checks on the request. Note that this evasion cannot be used to attack and penetrate a network from the outside. It can only be used by a malicious insider to evade URL filtering from the inside of the protected network.

Products Affected

PAN-OS releases 5.0.X, 6.0.X, 6.1.X, 7.0.X and 7.1.0

Available Updates

PAN-OS releases 7.1.1 and newer.

Customers concerned with this evasion technique are advised to upgrade to PAN-OS 7.1.1 and to enable threat signatures #14984 and #14978. The use of the DNS proxy feature is also recommended for improved accuracy.

More details can be found at https://live.paloaltonetworks.com/t5/Service-Announcements/Information-regarding-TLS-HTTP-header-evasion/ta-p/76562

Workarounds and Mitigations

Customers concerned with this evasion that do not deploy the solution available in PAN-OS 7.1.1 are advised to take the following actions to help mitigate the potential impact of malicious insiders or compromised hosts that may choose to use this evasion technique:

(1) Enable SSL certificate checking even for non-decrypted traffic and enforce certificates issued by trusted CAs only.

(2) Make sure antivirus, vulnerability, and anti-spyware profiles are applied to all allowed web traffic. Ensure that content packages containing antivirus, vulnerability and anti-spyware protections are up-to-date and configured to update frequently.

Acknowledgements

Matthew Pozun - Senior Engineer – Information Security, Verisign. Stas Volfus , Bugsec

______________________________________________________________________________

What if I need help?

If you have any questions regarding this notification please don’t hesitate to reach out to us, or visit our support portal. 

You can contact us on our 24 x 7 support number or mail us support@teneo.net

EMEA:  +44 (0)845 299 0623
US:  +1 877 836 3610
APAC:  +61 1800 765 389

Thanks

Teneo Support

Comments

0 comments

Article is closed for comments.

Powered by Zendesk