Customer Advisory - Palo Alto Networks Provides Coverage for Two Security Evasions
Resolution
Palo Alto Networks has released coverage for two security evasions:
Layered TCP/IP evasion overview:
Under certain conditions, unspecified layering of packet-level evasions can be used to bypass threat signature matching of the session.
Available Updates:
Customers are advised to upgrade to PAN-OS 6.0.5-h3 or later, 5.0.14-h3 or later, 4.1.18 or later, or 4.0.15 or later. These updates incorporate the ability to block this method of layered TCP/IP evasion. No configuration change is required to take advantage of this protection.
RPC fragmentation evasion overview:
Under certain conditions, specially crafted ONC RPC (commonly known as Sun RPC) packets can evade the RPC signature protections.
Available Updates:
Customers are advised to upgrade to content version 460 or later where mitigations for this evasion are included. No configuration change is required to take advantage of this protection.