Palo Alto bug used for DDoS attacks and there's no fix yet

A high-severity Palo Alto Networks denial-of-service (DoS) vulnerability has been exploited by miscreants looking to launch DDoS attacks, and several of the affected products won't have a patch until next week.

The vulnerability, tracked as CVE-2022-0028, received an 8.6 out of 10 CVSS score, and it affects PAN OS, the operating system in Palo Alto Networks' network security products. Panorama M-Series or Panorama virtual appliances, and Palo Alto Networks, have already had the issue fixed for cloud-based firewall and Prisma Access customers. 

Additionally, Palo Alto Networks patched PAN-OS version 10.1.6-h6 and all later PAN-OS versions for its PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewalls. 

We're told fixes for software releases PAN-OS 8.1.23-h1, PAN-OS 9.0.16-h3, PAN-OS 9.1.14-h4, PAN-OS 10.0.11-h1, and PAN-OS 10.2.2-h2 will arrive sometime next week, on August 15 or later.

The bug is caused by a URL filtering policy misconfiguration that could allow an external attacker with network access to conduct reflected and amplified TCP denial-of-service attacks, according to Palo Alto Networks' security advisory. If exploited, the attack would appear to originate from a hardware, virtual or container-based firewall against a target.

To exploit this flaw, an external attacker would have to find a firewall with an a-typical, and likely unintended, configuration, according to the advisory.

"The firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface," it explained.

Apparently, however, all the stars aligned for at least some miscreants looking to exploit this vulnerability.

"Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider," the security firm warned. "This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks. We immediately started to root cause and remediate this issue."

• Patch Tuesday: Yet another Microsoft RCE bug under active exploit
• VMware patches critical 'make me admin' auth bypass bug, plus nine other flaws
• Time from vulnerability disclosures to exploits is shrinking
• AWS and Splunk partner for faster cyberattack response

The fact that the bug is under active exploit shouldn't come as a big surprise. According to the vendor's own annual incident response report, criminals "start scanning for vulnerabilities within 15 minutes of a CVE being announced."

It does, however, likely mean some weekend work for security engineers. Specific to the PAN-OS bug, CVE-2022-0028, the new security advisory added: "Exploitation of this issue does not impact the confidentiality, integrity, or availability of our products."

While waiting for a patch, Palo Alto Networks does recommend some workarounds.

First, if your URL filtering policy meets the above-mentioned criteria, remove this configuration to prevent criminals from exploiting the flaw to launch DoS attacks.

The security advisory also provides instructions to apply either packet-based attack protection or flood protection — but noted "it is not necessary nor advantageous to apply both."

Aporeto software users, however, should not enable either of these. Instead, wait for the fixed PAN-OS software version. ®