Overview
A high-severity vulnerability was found in Palo Alto Networks’ PAN-OS. According to Palo Alto Networks, CVE-2022-0028 is a URL filtering policy misconfiguration issue that could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.
The bug has been given a CVSS score of 8.6 and was added to the Cyber Security and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalogue. CVE-2022-0028 was discovered when Palo Alto Networks received a warning regarding a RDoS attack attempt through one of their products – a Palo Alto Networks PA-series, VM Series, and CN-Series firewall against an attacker-specified target.
Palo Alto Networks stated that if an attacker exploits the vulnerability, the integrity or confidentiality of their products would not be impacted. However, the RDoS attack could help an attacker obfuscate their identity and implicate the firewall as the source of the attack. The company stated that they have addressed the issue in their PAN-OS software and that all updates are now available.
Palo Alto Networks has resolved the issue for Cloud NGFW and Prisma Access customers and there is no additional action required from them. The vulnerability does not impact Panorama M-Series or Panorama virtual appliances. Palo Alto Networks has fixed the flaw in the following PAN-OS versions:
- PAN-OS 8.1.23-h1
- PAN-OS 9.0.16-h3
- PAN-OS 9.1.14-h4
- PAN-OS 10.0.11-h1
- PAN-OS 10.1.6-h6
- PAN-OS 10.2.2-h2
- And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.
How Avertium is Protecting Our Customers:
- Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident.
- Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is great than the sum of its parts.
- Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
Avertium's recommendations
Palo Alto Networks recommends the following Workarounds and Mitigations for CVE-2022-0028:
- If you have a URL filtering policy with one or more blocked categories assigned to a security rule with a source zone that has an external facing interface, removing this configuration will prevent this issue from being exploited by remote attackers to conduct reflected DoS.
- To prevent denial-of-service (DoS) attacks resulting from this issue from all sources, you can configure your Palo Alto Networks firewalls by enabling one of two zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:
-
- 1. Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open);
OR
-
- 2. Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.
- Please note that Palo Alto Networks states that it is not necessary or recommended to apply both flood protections. For more detailed instruction, please read the company’s advisory.
INDICATOR'S OF COMPROMISE (IOCS):
At this time, there are no known IoCs associated with CVE-2022-0028. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
Supporting documentation
CVE-2022-0028 PAN-OS: Reflected Amplification Denial-of-Service (DoS) Vulnerability in URL Filtering (paloaltonetworks.com)
CISA issues warning on active exploitation of Palo Alto Networks PAN-OS flaw (computing.co.uk)
Firewall Bug Under Active Attack Triggers CISA Warning | Threatpost
Related Reading: When Cybercriminal Gangs Go Dark - Avaddon, AstraLocker, and Conti
Contact us for more information about Avertium’s managed security service capabilities.