Palo Alto Networks warns of Reflected Amplification DoS issue in PAN-OS

Palo Alto Networks devices running the PAN-OS are abused to launch reflected amplification denial-of-service (DoS) attacks.

Threat actors are exploiting a vulnerability, tracked as CVE-2022-0028 (CVSS score of 8.6), in Palo Alto Networks devices running the PAN-OS to launch reflected amplification denial-of-service (DoS) attacks.

The vendor has learned that firewalls from multiple vendors are abused to conduct distributed denial-of-service (DDoS) attacks, but it did not disclose the name of the impacted companies.

“Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks. We immediately started to root cause and remediate this issue.” reads the advisory published by Palo Alto Networks. “Exploitation of this issue does not impact the confidentiality, integrity, or availability of our products.

The root cause of the issue affecting the Palo Alto Network devices is a misconfiguration in the PAN-OS URL filtering policy that allows a network-based attacker to conduct reflected and amplified TCP DoS attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against a target chosen by the attackers.

The issue could be exploited if the firewall configuration has a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.

The flaw can be mitigated by removing the URL filtering policy, the company also recommends enabling only one security feature between packet-based attack protection and flood protection on their Palo Alto.

If exploited, this flaw would not impact the confidentiality, integrity, or availability of Palo Alto Networks products. However, the company pointed out that the resulting denial-of-service (DoS) attack may allow threat actors to hide their identity and implicate the firewall as the source of the attack.

Below is the Product Status shared by the vendor:

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 10.2	< 10.2.2-h2	>= 10.2.2-h2 (ETA: week of August 15, 2022)
PAN-OS 10.1	< 10.1.6-h6	>= 10.1.6-h6
PAN-OS 10.0	< 10.0.11-h1	>= 10.0.11-h1 (ETA: week of August 15, 2022)
PAN-OS 9.1	< 9.1.14-h4	>= 9.1.14-h4 (ETA: week of August 15, 2022)
PAN-OS 9.0	< 9.0.16-h3	>= 9.0.16-h3 (ETA: week of August 15, 2022)
PAN-OS 8.1	< 8.1.23-h1	>= 8.1.23-h1 (ETA: August 15, 2022)
Prisma Access 3.1	None	All
Prisma Access 3.0	None	All
Prisma Access 2.2	None	All
Prisma Access 2.1	None	All

The US Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory to warn of this vulnerability.

“Palo Alto Networks has released a security update to address a vulnerability in PAN-OS firewall configurations. A remote attacker could exploit this vulnerability to conduct a reflected denial-of service,” reads the advisory published by CISA.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-0028)

[adrotate banner=”5″]

[adrotate banner=”13″]