Palo Alto Networks’ PAN-OS is under DoS attack

• Palo Alto Networks has disclosed a vulnerability affecting its network security products including PAN-OS versions for PA-Series, VM-Series, and CN-Series firewalls.
• The vulnerability was discovered by a vendor of Palo Alto Networks as a result of an attempted reflected denial-of-service (RDoS) attack that took place recently.
• Palo alto Networks has been working on all software updates and making available the releases after the week of August 15, 2022.

American multinational cybersecurity company, Palo Alto Networks has published a security advisory about a flaw that makes reflected and amplified TCP denial-of-service (RDoS) attacks possible. The flaw affects Palo Alto Networks PAN-OS-based network security products such as for PA-Series, VM-Series, and CN-Series firewalls.

Specific conditions must be met

Palo Alto Networks has learned that a threat actor has tried to exploit firewalls from multiple vendors for distributed denial-of-service (DDoS) attacks. The flaw is caused by a URL filtering policy misconfiguration that could let an external attacker with network access run reflected and amplified TCP denial-of-service attacks.

The flaw, tracked under CVE-2022-0028, has a CVSS severity score of 8.6. It affects the Palo Alto Networks’ PAN-OS software, which is used on the company’s all next-generation firewalls. The vulnerability was discovered by a service provider that experienced an attempted reflected denial-of-service (RDoS) attack recently. The alleged attack took advantage of vulnerable firewalls from multiple vendors, including Palo Alto Networks.

To exploit the vulnerability, all of those specific conditions must be met:

• The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories.
• Packet-based attack protection is not enabled in a Zone Protection profile for Zone A including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open).
• Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.

The security company stated that in case of the vulnerability was exploited, it would not impact the confidentiality, integrity, or availability of their products. Palo Alto Networks stated on its advisory;

« To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. »

Palo alto Networks has been working on PAN-OS software updates and making available the releases after the week of August 15, 2022. The vulnerability does not affect Panorama M-Series or Panorama virtual appliances. While waiting for a fix, Palo Alto Networks does recommend some workarounds, Packet-Based Attack Protection Workaround, and Flood Protection (Alternate) Workaround.

Palo Alto Networks has released the fix for PAN-OS 10.1. The remaining versions will be fixed this week as well.