CVE-2022-0028
Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.
Una mala configuración de la política de filtrado de URL de PAN-OS podría permitir a un atacante basado en la red conducir ataques de denegación de servicio TCP reflejados y amplificados (RDoS). El ataque de denegación de servicio parecería originarse desde un firewall de la serie PA (hardware), la serie VM (virtual) y la serie CN (contenedor) de Palo Alto Networks contra un objetivo especificado por el atacante. Para que un atacante externo haga un uso no debido, la configuración del firewall debe tener un perfil de filtrado de URL con una o más categorías bloqueadas asignadas a una zona de origen que tenga una interfaz de cara al exterior. Esta configuración no es típica para el filtrado de URL y, si es establecido, es probable que no sea intencionada por el administrador. Si es explotado, este problema no afectaría a la confidencialidad, integridad o disponibilidad de nuestros productos. Sin embargo, el ataque de denegación de servicio (DoS) resultando puede ayudar a ofuscar la identidad del atacante e implicar al firewall como la fuente del ataque. Hemos tomado medidas rápidas para abordar este problema en nuestro software PAN-OS. Es esperado que todas las actualizaciones de software para este problema sean publicadas a más tardar en la semana del 15 de agosto de 2022. Este problema no afecta a dispositivos virtuales de Panorama M-Series o Panorama. Este problema ha sido resuelto para todos los clientes de Cloud NGFW y Prisma Access y no es requerida ninguna acción adicional por su parte
A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2021-12-28 CVE Reserved
- 2022-08-10 CVE Published
- 2022-08-22 Exploited in Wild
- 2022-09-12 KEV Due Date
- 2024-03-02 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- First Exploit
CWE
- CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
CAPEC
References (1)
URL | Tag | Source |
---|---|---|
https://security.paloaltonetworks.com/CVE-2022-0028 | Mitigation |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 8.1 < 8.1.23-h1 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1 < 8.1.23-h1" | - |
Affected
| ||||||
Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 9.0 < 9.0.16-h3 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0 < 9.0.16-h3" | - |
Affected
| ||||||
Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 9.1 < 9.1.14-h4 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1 < 9.1.14-h4" | - |
Affected
| ||||||
Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 10.0 < 10.0.11-h1 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.0 < 10.0.11-h1" | - |
Affected
| ||||||
Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 10.1 < 10.1.6-h6 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.1 < 10.1.6-h6" | - |
Affected
| ||||||
Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 10.2 < 10.2.2-h2 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.2 < 10.2.2-h2" | - |
Affected
|