CISA adds Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog

Pierluigi Paganini August 23, 2022

US Cybersecurity and Infrastructure Security Agency (CISA) added a flaw, tracked as CVE-2022-0028, affecting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The issue, tracked as CVE-2022-0028 (CVSS score: 8.6), is a URL filtering policy misconfiguration that could be exploited by an unauthenticated, remote attacker to carry out reflected and amplified TCP denial-of-service (DoS) attacks.

“A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.” reads the advisory published by CISA.

Last week, the vendor reported that threat actors are exploiting the CVE-2022-0028 vulnerability in Palo Alto Networks devices running the PAN-OS to launch reflected amplification denial-of-service (DoS) attacks.

The vendor has learned that firewalls from multiple vendors are abused to conduct distributed denial-of-service (DDoS) attacks, but it did not disclose the name of the impacted companies.

“Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks. We immediately started to root cause and remediate this issue.” reads the advisory published by Palo Alto Networks. “Exploitation of this issue does not impact the confidentiality, integrity, or availability of our products.

The root cause of the issue affecting the Palo Alto Network devices is a misconfiguration in the PAN-OS URL filtering policy that allows a network-based attacker to conduct reflected and amplified TCP DoS attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against a target chosen by the attackers.

Palo Alto Networks GlobalProtect VPN

The issue could be exploited if the firewall configuration has a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.

The flaw can be mitigated by removing the URL filtering policy, the company also recommends enabling only one security feature between packet-based attack protection and flood protection on their Palo Alto.

If exploited, this flaw would not impact the confidentiality, integrity, or availability of Palo Alto Networks products. However, the company pointed out that the resulting denial-of-service (DoS) attack may allow threat actors to hide their identity and implicate the firewall as the source of the attack.

Below is the Product Status shared by the vendor:

VERSIONSAFFECTEDUNAFFECTED
Cloud NGFWNoneAll
PAN-OS 10.2< 10.2.2-h2>= 10.2.2-h2 (ETA: week of August 15, 2022)
PAN-OS 10.1< 10.1.6-h6>= 10.1.6-h6
PAN-OS 10.0< 10.0.11-h1>= 10.0.11-h1 (ETA: week of August 15, 2022)
PAN-OS 9.1< 9.1.14-h4>= 9.1.14-h4 (ETA: week of August 15, 2022)
PAN-OS 9.0< 9.0.16-h3>= 9.0.16-h3 (ETA: week of August 15, 2022)
PAN-OS 8.1< 8.1.23-h1>= 8.1.23-h1 (ETA: August 15, 2022)
Prisma Access 3.1NoneAll
Prisma Access 3.0NoneAll
Prisma Access 2.2NoneAll
Prisma Access 2.1NoneAll

CISA orders federal agencies to fix both issues by September 12, 2022.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PAN-OS)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment