August 17, 2022
The flaw has been exploited in real-world attacks, but most Palo Alto customers will remain unaffected.
In the second week of August, Palo Alto Networks issued a security warning for a high-severity vulnerability in its PAN-OS operating system. Many of the company’s networking hardware products use this operating system, but not all of them are susceptible.
The vulnerability’s official designation is CVE-2022-0028 (CVSS v3 – 8.6). It relies on filtering policy misconfiguration that allows network-based attackers to conduct denial-of-service attacks. Correctly configured Palo Alto hardware is not affected.
If exploited, attackers can use this flaw to launch reflected and amplified TCP denial-of-service attacks. These attacks would appear to originate from a Palo Alto Networks hardware device, virtual machine, or container. This might allow an attacker to obfuscate the source of their attack, making it much harder for security analysts to investigate and remediate it.
This flaw is exclusively used for DDoS attacks. The confidentiality, integrity, and availability of the product is not impacted, and attackers cannot use it to gain control of those assets or further infiltrate victims’ networks.
Several recent versions of PAN-OS are vulnerable to this flaw:
- PAN-OS 10.2.2-h2
- PAN-OS 10.1.6-h6
- PAN-OS 10.0.11-h1
- PAN-OS 9.1.14-h4
- PAN-OS 9.0.16-h3
- PAN-OS 8.1.23-h1 and prior
The company is currently in the process of developing security patches for these OS builds. We recommend users update to the latest patch as soon as it’s available.
Vulnerability Prerequisites Include an Unusual Firewall Configuration
The affected PAN-OS builds run on Palo Alto PA-Series, VM-Series, and CN-series devices, but the vulnerability relies on three conditions:
- A firewall rule assigned to a source zone with an external facing interface must include a URL filtering profile that includes one or more blocked categories.
- The Zone Protection profile for Zone A must not have packet-based attack protection enabled. This includes both the TCP Syn With Data and TCP Fast Open options.
- The Zone Protection profile for Zone A must not have flood protection through SYN cookies enabled with an activation threshold of zero connections.
This is an uncommon set of conditions, most likely the result of unintentional error.
URL filtering policies are designed to trigger when a user tries to access disallowed websites from inside a protected network. Configuring the URL filter to work the other direction (from incoming traffic originating on the public Internet towards a destination on the protected network) offers no practical security benefit.
This kind of error can occur when security personnel are not familiar with the specific products and technologies the organization uses. Even experienced security professionals can make mistakes if they don’t have platform-specific product expertise.
Recommendations for Palo Alto Hardware Users
Since attackers can’t exploit this vulnerability on networks that don’t meet all three criteria, system administrators should quickly check their PAN-OS configuration to make sure at least one of those prerequisites isn’t met.
Verifying your URL filtering configuration is a good way to ensure your network is not vulnerable. Palo Alto Networks recommends applying a packet-based attack protection workaround as well.
System administrators who catch this URL filtering firewall misconfiguration on their servers are well-advised to investigate the source of the misconfiguration itself. While it’s unlikely to be the result of malicious insider activity, it could suggest the existence of other unusual or suboptimal configurations throughout the network.
One of the benefits of working with a managed detection and response vendor like Castra is the ability to proactively seek and mitigate risks associated with improper technical configurations. Our team’s product expertise can help you ensure your network assets enjoy comprehensive protection according to the unique demands of your company’s security posture.
Need further assistance? Contact us. Our team is here to help!