Palo Alto has released a security advisory to address an actively exploited, high-severity vulnerability (CVE-2022-0028) affecting PAN-OS, the operating system used by the company’s networking hardware products. The vulnerability is a PAN-OS URL filtering policy misconfiguration vulnerability that could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The advisory claims that the vulnerability does not affect the products’ availability, confidentiality, or integrity. This flaw does not impact Panorama M-Series or Panorama virtual appliances.
All Palo Alto Networks® next-generation firewalls run on PANOS® software. This utilizes all the key technologies that are built into the PAN-OA natively to guarantee complete visibility and control of the application in use across all devices anytime and from anywhere.
A hacker could use the flaw to enlist a Palo Alto Networks PAN-OS device for DDoS attacks, hiding the hacker’s source IP and complicating remediation. Threat actors can also utilize these attacks for extortion or to interfere with a company’s business processes.
Palo Alto Networks recently found that a service provider has discovered an attempted reflected denial-of-service (RDoS) attack. This attempted attack used vulnerable firewalls from several different manufacturers, including Palo Alto Networks. We started looking for the issue’s core cause and fixing it right away.
Pre-requisite for the vulnerability to be exploited
To exploit this vulnerability, the firewall configuration must contain a URL filtering profile with one or more prohibited categories assigned to a security rule with a source zone that has an external-facing interface. This setup is not the default one for URL filtering and is likely unintended by the administrator.
This vulnerability can only affect PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewalls when all three of the following conditions are true:
- The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories;
- Packet-based attack protection is not enabled in a Zone Protection profile for Zone A including both “Packet Based Attack Protection > TCP Drop > TCP Syn With Data” and “Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open”;
- Flood protection through SYN cookies (Flood Protection > SYN > Action > SYN Cookie) is not enabled in a Zone Protection profile for Zone A with an activation threshold of 0 connections.
- PAN-OS 10.2 versions older than PAN-OS 10.2.2-h2
- PAN-OS 10.1 versions older than PAN-OS 10.1.6-h6
- PAN-OS 10.0 versions older than PAN-OS 10.0.11-h1
- PAN-OS 9.1 versions older than PAN-OS 9.1.14-h4
- PAN-OS 9.0 versions older than PAN-OS 9.0.16-h3
- PAN-OS 8.1 versions older than PAN-OS 8.1.23-h1
As per Palo Alto Network’s advisory, to prevent denial-of-service (DoS) attacks resulting from this issue from all sources, you can configure your Palo Alto Networks firewalls by enabling one of two zones protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:
- Packet-based attack protection including both, “Packet Based Attack Protection > TCP Drop > TCP SYN with Data and “Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open”;
- Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.
NOTE: It is not necessary to apply both the attack and flood protections.
You should not enable either of these protections if using Aporeto software; instead, upgrade to the patched version of PAN-OS software.
1) Packet-Based Attack Protection Workaround (Recommended)
Follow the technical documentation to configure packet-based attack protection options for all defined Security zones with URL filtering enabled in the Security profile for that zone:
The packet-based attack protection workaround will prevent the firewall from establishing TCP sessions in impacted zones when the TCP SYN packet contains data in the three-way handshake for a TCP session. Please note that this workaround may disrupt applications that use TCP Fast Open in the zone.
2) Flood Protection Workaround (Alternate)
If you instead decide to enable the flood protection workaround, first make sure you understand how enabling SYN cookies will change traffic flow in the impacted zones:
This issue is fixed in PAN-OS 8.1.23-h1, PAN-OS 10.1.6-h6, and all later PAN-OS versions for PA-Series, VM-Series, and CN-Series firewalls. Customers can refer to the Palo Alto Networks Security Advisory for information regarding patching this vulnerability.
Qualys customers can scan their devices with QID 730595 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.