Palo Alto Networks Devices Running the PAN-OS Could Allow Attacker to Launch DoS Attack

A high severity issue tracked as (CVE-2022-0028), CVSS score of 8.6, in Palo Alto Networks devices running the PAN-OS could allow an attacker to launch Denial-of-Service (DoS) attack.

The issue stems from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewall against an attacker-specified target. There was a misconfiguration in the PAN-OS URL filtering policy that allows a network-based attacker to carry out Reflected and Amplified TCP DoS attacks.

“If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack”, reads the advisory published by Palo Alto Networks.

Product Status

VERSIONSAFFECTEDUNAFFECTED
Cloud NGFWNoneAll
PAN-OS 10.2< 10.2.2-h2>= 10.2.2-h2 (ETA: week of August 15, 2022)
PAN-OS 10.1< 10.1.6-h6>= 10.1.6-h6
PAN-OS 10.0< 10.0.11-h1>= 10.0.11-h1 (ETA: week of August 15, 2022)
PAN-OS 9.1< 9.1.14-h4>= 9.1.14-h4 (ETA: week of August 15, 2022)
PAN-OS 9.0< 9.0.16-h3>= 9.0.16-h3 (ETA: week of August 15, 2022)
PAN-OS 8.1< 8.1.23-h1>= 8.1.23-h1 (ETA: August 15, 2022)
Prisma Access 3.1NoneAll
Prisma Access 3.0NoneAll
Prisma Access 2.2NoneAll
Prisma Access 2.1NoneAll

Software Update Available

Palo Alto Networks has released a security update to address a vulnerability in PAN-OS firewall configurations. The company identified workarounds to prevent the denial-of-service (DoS) attacks that result from this issue in certain Palo Alto Networks firewalls, with this policy configuration.

EHA

This issue is fixed in PAN-OS 10.1.6-h6 and all later PAN-OS versions for PA-Series, VM-Series, and CN-Series firewalls. The company anticipates releasing all PAN-OS software updates for this issue no later than the week of August 15, 2022.

Mitigation

To avoid denial-of-service (DoS) attacks resulting from this issue from all sources, it is recommended to configure your Palo Alto Networks firewalls by enabling one of the two-zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:

  • Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open);

(Or) 2. Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.

Also, Download a Free Checklist for Securing Your Enterprise Network Here.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.