CVE-2013-5663

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions prior to 4.0.14 Palo Alto Networks PAN-OS versions 4.1.x prior to 4.1.11 Palo Alto Networks PAN-OS versions 5.0.x prior to 5.0.2

Description The issue allows remote attackers to bypass intended security policies via crafted requests that trigger invalid caching. This can result in the incorrect identification of traffic, such as identifying HTTP traffic as SIP traffic. A knowledgeable user can bypass security policy by sending specially crafted requests to poison the firewall's App-ID cache, allowing the use of a blocked application for a period of time.

Recommendations For versions prior to 4.0.14, update to version 4.0.14 or later. For versions 4.1.x prior to 4.1.11, update to version 4.1.11 or later. For versions 5.0.x prior to 5.0.2, update to version 5.0.2 or later. As a temporary workaround, consider using one or both of the mitigation steps noted by the vendor while they further enhance the App-ID cache feature to resist all possible pollution techniques.