The cybersecurity company, Palo Alto Networks, has announced a security vulnerability that affects some of its products. The vulnerability, which can be tracked as CVE-2022-0778, is high severity, infinite-loop bug on OpenSSL. Palo Alto Networks states that some firewall, VPN, and XDR products are affected by this bug.
The infinite loop bug causes DoS
Palo Alto Networks will be delivering the patches in the week after the next week
The bug in the BN_mod_sqrt() function is the root of this vulnerability. The bug causes an infinite loop for non-prime moduli. This problem results in denial-of-service when it is abused. Hopefully, even if the details and proof-of-concept exploits were published online, Palo Alto Networks did not notice any exploitation of its products.
Currently, PAN-OS, GlobalProtect app, and Cortex XDR agent contain a vulnerable version of OpenSSL. While PAN-OS is only affected in its 8.1 and later versions, all versions of the GlobalProtect app and the Cortex XDR agent are affected.
The OpenSSL bug has actually been fixed almost three weeks ago. However, the patches coming from third-party solutions generally arrive at end products a bit late. There are several examples of this case. Palo Alto Networks will be applying the OpenSSL fix later this month; most likely between the 18th and 22nd of April.