SIP traffic gets past PAN FW as HTTP traffic

Palo Alto Networks is vulnerable to cache poisoning. For example, a Session Initiation Protocol (SIP) or any other protocol connection can be used as a channel for attacking a company's internal networks. The SIP session could initially be blocked accurately, but by taking advantage of the cache poisoning vulnerability, the SIP session could bypass a Palo Alto firewall. The vulnerability could be exploited as follows:

  1. HTTP is allowed with firewall policy
  2. Opening a SIP session typically used with VoIP communications is correctly blocked
  3. Generating HTTP traffic that causes the cache to hit its threshold – meaning traffic continues going through the cache but is no longer inspected by the firewall
  4. Switching the HTTP connection to SIP, which is then allowed – and exposes you to risk
Strong security products do not allow cache poisoning, and a strong firewall will never stop inspecting network traffic.

Defcon 2011, Brad Woodberg, Juniper Networks

Watch Video

Contact Us