CVE-2022-0011

PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com.* will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.

El software PAN-OS ofrece opciones para excluir sitios web específicos de la aplicación de la categoría de URL y esos sitios web son bloqueados o se permiten (dependiendo de sus reglas) independientemente de su categoría de URL asociada. Esto es hecho al crear una lista de categorías de URL personalizada o usando una lista dinámica externa (EDL) en un perfil de filtrado de URL. Cuando las entradas de estas listas presentan un patrón de nombre de host que no termina con una barra diagonal (/) o un patrón de nombre de host que termina con un asterisco (*), cualquier URL que comience con el patrón especificado es considerado una coincidencia. Las entradas con un signo de interrogación (^) al final de un patrón de nombre de host coinciden con cualquier dominio de nivel superior. Esto puede permitir o bloquear inadvertidamente más URLs de las previstas y permitir más URLs de las previstas representa un riesgo de seguridad. Por ejemplo: example.com coincidirá con example.com.website.test example.com.* coincidirá con example.com.website.test example.com.^ coincidirá con example.com.test Debe tener especial cuidado cuando use estas entradas en las reglas de política que permiten el tráfico. Siempre que sea posible, use la lista exacta de nombres de host que terminan con una barra diagonal (/) en lugar de usar comodines. PAN-OS versiones 10.1 anteriores a PAN-OS 10.1.3; PAN-OS versiones 10.0 anteriores a PAN-OS 10.0.8; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.12; todas PAN-OS versiones 9.0; PAN-OS versiones 8.1 anteriores a PAN-OS 8.1.21, y las versiones de Prisma Access 2.2 y 2.1 no permiten a clientes cambiar este comportamiento sin cambiar la lista de categorías de URL o EDL

*Credits: Palo Alto Networks thanks Chris Johnston of PricewaterhouseCoopers for discovering and reporting this issue.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-12-28 CVE Reserved
2022-02-10 CVE Published
2023-09-03 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-436: Interpretation Conflict

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.paloaltonetworks.com/CVE-2022-0011	2022-02-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 8.1.0 < 8.1.21 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.21"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 9.0.0 <= 9.0.15 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 <= 9.0.15"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 9.1.0 < 9.1.12 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.12"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 10.0.0 < 10.0.8 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.0.0 < 10.0.8"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 10.1.0 < 10.1.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.1.0 < 10.1.3"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Prisma Access Search vendor "Paloaltonetworks" for product "Prisma Access"				2.1 Search vendor "Paloaltonetworks" for product "Prisma Access" and version "2.1"		innovation		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Prisma Access Search vendor "Paloaltonetworks" for product "Prisma Access"				2.1 Search vendor "Paloaltonetworks" for product "Prisma Access" and version "2.1"		preferred		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Prisma Access Search vendor "Paloaltonetworks" for product "Prisma Access"				2.2 Search vendor "Paloaltonetworks" for product "Prisma Access" and version "2.2"		preferred		Affected