A service provider recently notified Palo Alto Networks about an attempted reflected denial-of-service (RDoS) attack. The firewalls of several vendors, including Palo Alto Networks, were vulnerable to this attempted attack.
An amplified TCP RDoS attack can be initiated by an attacker on the network by exploiting a misconfigured PAN-OS URL filtering policy. The situation is caused by a high severity vulnerability with a CVSS score of 8.6, tracked as CVE-2022-0028.
How Is It Exploited?
To be exploited by an attacker, the firewall configuration must include a URL filtering profile with at least one blocked category and a source zone with an external-facing network interface. If exploited, Palo Alto products’ integrity or availability is unaffected; however, the DoS attack may obscure the attacker’s identity and make DoS appear to be sourced from Palo Alto Networks’ PA-Series, VM-Series, and CN-Series firewalls.
Which Palo Alto Products Are Affected?
The problem has been fixed for Cloud NGFW and Prisma Access. No further action is required from customers.
This flaw is fixed in:
- PAN-OS 10.1.6-h6 and all later PAN-OS versions for PA-Series
- VM-Series and CN-Series firewalls
Current affected products are listed below:
- PAN-OS 10.2 (versions before 10.2.2-h2)
- PAN-OS 10.1 (versions before 10.1.6-h6)
- PAN-OS 10.0 (versions before 10.0.11-h1)
- PAN-OS 9.1 (versions before 9.1.14-h4)
- PAN-OS 9.0 (versions before 9.0.16-h3)
- PAN-OS 8.1 (versions before 8.1.23-h1)
Palo Alto promises to deliver updated versions within this week.
Required Configuration for Exposure
For this vulnerability to be exploited by an attacker, the firewall configuration must contain a URL filtering profile with one or more prohibited categories attached to a security rule with a source zone with an external facing interface. This configuration is uncommon for URL filtering and was probably not the administrator’s intent.
Only if all three of the following circumstances are true this issue applies to PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewalls:
- A URL filtering profile with one or more blocked categories is part of the security setting on the firewall that permits traffic to move from Zone A to Zone B;
- In a Zone Protection profile for Zone A that includes both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open), packet-based attack protection is not enabled;
- In a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections, flood protection through SYN cookies is not enabled.
Palo Alto Has Released Workarounds
Removing this configuration will prevent remote attackers from using this vulnerability to launch reflected DoS attacks if you have a URL filtering policy with one or more blocked categories assigned to a security rule with a source zone with an external facing interface.
For other workaround and mitigations, check Palo Alto’s security advisory.