CISA is Warning of High-severity PAN-OS DDoS Flaw Used in Attacks
A recent vulnerability found in Palo Alto Networks’ PAN-OS has been added to the catalog of Known Exploitable Vulnerabilities from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The security issue is a high-severity risk identified as CVE-2022-0028 that allows a remote threat actor to deploy reflected and amplified denial-of-service (DoS) attacks without having to authenticate.
Certain conditions apply
Several PAN-OS versions powering PA-Series, VM-Series, and CN-Series devices are vulnerable to CVE-2022-0028 and Palo Alto Networks has released patches for all of them.
While exploiting the flaw can only cause a DoS condition on the affected device, it has already been used for at least one attack.
In a security advisory on August 12, Palo Alto Networks says that they became aware of the issue after receiving an alert about an attempted reflected denial-of-service (RDoS) attack through one of its products.
According to the vendor, a threat actor exploiting the issue could hide their original IP address, making remediation a more difficult task.
CISA is warning federal agencies that they should apply available fixes by September 9 and is using the following summary to describe it:
A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.
Palo Alto Networks that CVE-2022-0028 is exploitable only under certain conditions, which are not part of a common firewall configuration:
- The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories
- Packet-based attack protection is not enabled in a Zone Protection profile for Zone A, including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)
- Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections
If organizations with vulnerable devices cannot apply the most recent updates immediately, they can use the following guide from the vendor as a workaround until fixes can be installed.
The current catalog of Known Exploitable Vulnerabilities from CISA lists 802 security issues that organizations around the world could use to improve their defenses.