A high severity issue tracked as (CVE-2022-0028), CVSS score of 8.6, in Palo Alto Networks devices running the PAN-OS could allow an attacker to launch Denial-of-Service (DoS) attack.
The issue stems from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewall against an attacker-specified target. There was a misconfiguration in the PAN-OS URL filtering policy that allows a network-based attacker to carry out Reflected and Amplified TCP DoS attacks.
“If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack”, reads the advisory published by Palo Alto Networks.
|PAN-OS 10.2||< 10.2.2-h2||>= 10.2.2-h2 (ETA: week of August 15, 2022)|
|PAN-OS 10.1||< 10.1.6-h6||>= 10.1.6-h6|
|PAN-OS 10.0||< 10.0.11-h1||>= 10.0.11-h1 (ETA: week of August 15, 2022)|
|PAN-OS 9.1||< 9.1.14-h4||>= 9.1.14-h4 (ETA: week of August 15, 2022)|
|PAN-OS 9.0||< 9.0.16-h3||>= 9.0.16-h3 (ETA: week of August 15, 2022)|
|PAN-OS 8.1||< 8.1.23-h1||>= 8.1.23-h1 (ETA: August 15, 2022)|
|Prisma Access 3.1||None||All|
|Prisma Access 3.0||None||All|
|Prisma Access 2.2||None||All|
|Prisma Access 2.1||None||All|
Software Update Available
Palo Alto Networks has released a security update to address a vulnerability in PAN-OS firewall configurations. The company identified workarounds to prevent the denial-of-service (DoS) attacks that result from this issue in certain Palo Alto Networks firewalls, with this policy configuration.
This issue is fixed in PAN-OS 10.1.6-h6 and all later PAN-OS versions for PA-Series, VM-Series, and CN-Series firewalls. The company anticipates releasing all PAN-OS software updates for this issue no later than the week of August 15, 2022.
To avoid denial-of-service (DoS) attacks resulting from this issue from all sources, it is recommended to configure your Palo Alto Networks firewalls by enabling one of the two-zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:
- Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open);
(Or) 2. Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.
Also, Download a Free Checklist for Securing Your Enterprise Network Here.