CISA is Warning of High-severity PAN-OS DDoS Flaw Used in Attacks

A recent vulnerability found in Palo Alto Networks’ PAN-OS has been added to the catalog of Known Exploitable Vulnerabilities from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The security issue is a high-severity risk identified as CVE-2022-0028 that allows a remote threat actor to deploy reflected and amplified denial-of-service (DoS) attacks without having to authenticate.

Certain conditions apply

Several PAN-OS versions powering PA-Series, VM-Series, and CN-Series devices are vulnerable to CVE-2022-0028 and Palo Alto Networks has released patches for all of them.

Also Read: Knowing PDPA policy and its strategies to boost data protection in the workplace

While exploiting the flaw can only cause a DoS condition on the affected device, it has already been used for at least one attack.

In a security advisory on August 12, Palo Alto Networks says that they became aware of the issue after receiving an alert about an attempted reflected denial-of-service (RDoS) attack through one of its products.

According to the vendor, a threat actor exploiting the issue could hide their original IP address, making remediation a more difficult task.

CISA is warning federal agencies that they should apply available fixes by September 9 and is using the following summary to describe it:

A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.

Also Read: 7 Client data protection tips to secure your customers

Palo Alto Networks that CVE-2022-0028 is exploitable only under certain conditions, which are not part of a common firewall configuration:

• The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories
• Packet-based attack protection is not enabled in a Zone Protection profile for Zone A, including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)
• Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections

If organizations with vulnerable devices cannot apply the most recent updates immediately, they can use the following guide from the vendor as a workaround until fixes can be installed.

The current catalog of Known Exploitable Vulnerabilities from CISA lists 802 security issues that organizations around the world could use to improve their defenses.