CVE-2022-0028

Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Attend

*SSVC

Descriptions

A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.

Una mala configuración de la política de filtrado de URL de PAN-OS podría permitir a un atacante basado en la red conducir ataques de denegación de servicio TCP reflejados y amplificados (RDoS). El ataque de denegación de servicio parecería originarse desde un firewall de la serie PA (hardware), la serie VM (virtual) y la serie CN (contenedor) de Palo Alto Networks contra un objetivo especificado por el atacante. Para que un atacante externo haga un uso no debido, la configuración del firewall debe tener un perfil de filtrado de URL con una o más categorías bloqueadas asignadas a una zona de origen que tenga una interfaz de cara al exterior. Esta configuración no es típica para el filtrado de URL y, si es establecido, es probable que no sea intencionada por el administrador. Si es explotado, este problema no afectaría a la confidencialidad, integridad o disponibilidad de nuestros productos. Sin embargo, el ataque de denegación de servicio (DoS) resultando puede ayudar a ofuscar la identidad del atacante e implicar al firewall como la fuente del ataque. Hemos tomado medidas rápidas para abordar este problema en nuestro software PAN-OS. Es esperado que todas las actualizaciones de software para este problema sean publicadas a más tardar en la semana del 15 de agosto de 2022. Este problema no afecta a dispositivos virtuales de Panorama M-Series o Panorama. Este problema ha sido resuelto para todos los clientes de Cloud NGFW y Prisma Access y no es requerida ninguna acción adicional por su parte

A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.

*Credits: Palo Alto Networks thanks CERT-XLM for reporting this issue.

CVSS Scores

NISTv3.1 8.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-12-28 CVE Reserved
2022-08-10 CVE Published
2022-08-22 Exploited in Wild
2022-09-12 KEV Due Date
2024-03-02 EPSS Updated
2024-09-16 CVE Updated
---------- First Exploit

CWE

CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

CAPEC

References (1)

URL	Tag	Source
https://security.paloaltonetworks.com/CVE-2022-0028	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 8.1 < 8.1.23-h1 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1 < 8.1.23-h1"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 9.0 < 9.0.16-h3 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0 < 9.0.16-h3"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 9.1 < 9.1.14-h4 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1 < 9.1.14-h4"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 10.0 < 10.0.11-h1 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.0 < 10.0.11-h1"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 10.1 < 10.1.6-h6 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.1 < 10.1.6-h6"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				>= 10.2 < 10.2.2-h2 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.2 < 10.2.2-h2"		-		Affected