The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
The issue, tracked as CVE-2022-0028 (CVSS score: 8.6), is a URL filtering policy misconfiguration that could be exploited by an unauthenticated, remote attacker to carry out reflected and amplified TCP denial-of-service (DoS) attacks.
“A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.” reads the advisory published by CISA.
Last week, the vendor reported that threat actors are exploiting the CVE-2022-0028 vulnerability in Palo Alto Networks devices running the PAN-OS to launch reflected amplification denial-of-service (DoS) attacks.
The vendor has learned that firewalls from multiple vendors are abused to conduct distributed denial-of-service (DDoS) attacks, but it did not disclose the name of the impacted companies.
“Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks. We immediately started to root cause and remediate this issue.” reads the advisory published by Palo Alto Networks. “Exploitation of this issue does not impact the confidentiality, integrity, or availability of our products.
The root cause of the issue affecting the Palo Alto Network devices is a misconfiguration in the PAN-OS URL filtering policy that allows a network-based attacker to conduct reflected and amplified TCP DoS attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against a target chosen by the attackers.
The issue could be exploited if the firewall configuration has a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.
The flaw can be mitigated by removing the URL filtering policy, the company also recommends enabling only one security feature between packet-based attack protection and flood protection on their Palo Alto.
If exploited, this flaw would not impact the confidentiality, integrity, or availability of Palo Alto Networks products. However, the company pointed out that the resulting denial-of-service (DoS) attack may allow threat actors to hide their identity and implicate the firewall as the source of the attack.
Below is the Product Status shared by the vendor:
|PAN-OS 10.2||< 10.2.2-h2||>= 10.2.2-h2 (ETA: week of August 15, 2022)|
|PAN-OS 10.1||< 10.1.6-h6||>= 10.1.6-h6|
|PAN-OS 10.0||< 10.0.11-h1||>= 10.0.11-h1 (ETA: week of August 15, 2022)|
|PAN-OS 9.1||< 9.1.14-h4||>= 9.1.14-h4 (ETA: week of August 15, 2022)|
|PAN-OS 9.0||< 9.0.16-h3||>= 9.0.16-h3 (ETA: week of August 15, 2022)|
|PAN-OS 8.1||< 8.1.23-h1||>= 8.1.23-h1 (ETA: August 15, 2022)|
|Prisma Access 3.1||None||All|
|Prisma Access 3.0||None||All|
|Prisma Access 2.2||None||All|
|Prisma Access 2.1||None||All|
CISA orders federal agencies to fix both issues by September 12, 2022.
(SecurityAffairs – hacking, PAN-OS)