Home / About / Threat Intelligence / PAN-OS reflected amplification DoS vulnerability

Overview

A vulnerability found within Palo Alto Networks’ operating system (PAN-OS) denial-of-service (DoS) has been exploited by malicious actors.

The vulnerability is being tracked as CVE-2022-0028. The bug was caused by a URL filtering policy misconfiguration which could allow a malicious actor to perform reflected and amplified TCP denial-of-service (RDoS) attacks. To exploit this vulnerability a malicious actor would appear to originate from a PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall and send spurious traffic to a selected target.

Impact

A malicious actor can misuse this vulnerability when a firewall configuration has a URL filtering profile with one or more blocked categories assigned to an external facing interface. The configuration identified is not typically used for URL filtering and was likely implemented unintentionally by the administrator. When a malicious actor performs a DoS attack utilising this misconfiguration they could use a Palo Alto Networks PAN-OS device to perform the attack, which could obfuscate the original IP of the malicious actor.

The discovered vulnerability does not impact Panorama M-Series or Panorama virtual appliances.

Vulnerability Detection

● PAN-OS prior to version 10.2.2-h2

● PAN-OS prior to version 10.1.6-h6

● PAN-OS prior to version 10.0.11-h1

● PAN-OS prior to version 9.1.14-h4

● PAN-OS prior to version 9.0.16-h3

● PAN-OS prior to version 8.1.23-h1

Affected Products

The vulnerability is found in the following versions of PAN-OS:

● PAN-OS prior to version 10.2.2-h2

● PAN-OS prior to version 10.1.6-h6

● PAN-OS prior to version 10.0.11-h1

● PAN-OS prior to version 9.1.14-h4

● PAN-OS prior to version 9.0.16-h3

● PAN-OS prior to version 8.1.23-h1

Containment, Mitigations & Remediations

The vulnerability has already been remediated for cloud-based firewall and Prisma Access customers in Panorama M-Series, Panorama virtual appliances and Palo Alto Networks.

Palo Alto has released a workaround to prevent the DoS attack in the affected products. At the time of writing only PAN-OS prior to 10.1.6-h6 has a patch which is currently available.

The following versions of PAN-OS have not had a software patch released to remediate against the vulnerability, however Palo Alto has advised that these are expected to be released imminently:

● PAN-OS prior to 10.2.2-h2

● PAN-OS prior to 10.0.11-h1

● PAN-OS prior to 9.1.14-h4

● PAN-OS prior to 9.0.16-h3

● PAN-OS prior to 8.1.23-h1

Indicators of Compromise

The vulnerability was discovered after Palo Alto were notified that one of their devices was being utilised in an active DoS attack. The attempted attack tried to take advantage of firewalls from various vendors, one being Palo Alto Networks. According to Palo Alto, the vulnerability does not impact the confidentiality, integrity or availability of their products.

Threat Landscape

Palo Alto provides network security, cloud security, endpoint protection, and cloud-delivered security services. Palo Alto firewalls detect known and unknown threats to prevent a broad range of attacks from occurring across their customer deployments.

Palo Alto has confirmed active exploitation is being undertaken by threat actors leveraging this vulnerability.

Mitre Methodologies

T1498 – Network Denial of Service

T0814 – Denial of Service

Further Information

CVE-2022-0028 PAN-OS

PAN-OS DDoS flaw exploited in attacks

PAN-OS

Palo Alto Firewalls & Appliances