Palo Alto bug used for DDoS attacks and there's no fix yet

There goes the weekend...

A high-severity Palo Alto Networks denial-of-service (DoS) vulnerability has been exploited by miscreants looking to launch DDoS attacks, and several of the affected products won't have a patch until next week.

The vulnerability, tracked as CVE-2022-0028, received an 8.6 out of 10 CVSS score, and it affects PAN OS, the operating system in Palo Alto Networks' network security products. Panorama M-Series or Panorama virtual appliances, and Palo Alto Networks, have already had the issue fixed for cloud-based firewall and Prisma Access customers. 

Additionally, Palo Alto Networks patched PAN-OS version 10.1.6-h6 and all later PAN-OS versions for its PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewalls. 

We're told fixes for software releases PAN-OS 8.1.23-h1, PAN-OS 9.0.16-h3, PAN-OS 9.1.14-h4, PAN-OS 10.0.11-h1, and PAN-OS 10.2.2-h2 will arrive sometime next week, on August 15 or later.

The bug is caused by a URL filtering policy misconfiguration that could allow an external attacker with network access to conduct reflected and amplified TCP denial-of-service attacks, according to Palo Alto Networks' security advisory. If exploited, the attack would appear to originate from a hardware, virtual or container-based firewall against a target.

To exploit this flaw, an external attacker would have to find a firewall with an a-typical, and likely unintended, configuration, according to the advisory.

"The firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface," it explained.

Apparently, however, all the stars aligned for at least some miscreants looking to exploit this vulnerability.

"Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider," the security firm warned. "This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks. We immediately started to root cause and remediate this issue."

The fact that the bug is under active exploit shouldn't come as a big surprise. According to the vendor's own annual incident response report, criminals "start scanning for vulnerabilities within 15 minutes of a CVE being announced."

It does, however, likely mean some weekend work for security engineers. Specific to the PAN-OS bug, CVE-2022-0028, the new security advisory added: "Exploitation of this issue does not impact the confidentiality, integrity, or availability of our products."

While waiting for a patch, Palo Alto Networks does recommend some workarounds.

First, if your URL filtering policy meets the above-mentioned criteria, remove this configuration to prevent criminals from exploiting the flaw to launch DoS attacks.

The security advisory also provides instructions to apply either packet-based attack protection or flood protection — but noted "it is not necessary nor advantageous to apply both."

Aporeto software users, however, should not enable either of these. Instead, wait for the fixed PAN-OS software version. ®

Send us news

Sophos fixes critical firewall hole exploited by miscreants

Code-injection bug in your network security... mmm, yum yum

Pentagon is far too tight with its security bug bounties

But overpriced, useless fighter jets? That's something we can get behind

One month after Black Hat disclosure, HP's enterprise kit still unpatched

What could go wrong with leaving firmware open after world's biggest hacker convention talk?

What's Microsoft been up to? A quick tour of Windows 11 22H2's security features

And some requirements to be aware of

Uber explains how it was pwned this month, points finger at Lapsus$ gang

From annoying MFA alerts to 'several internal systems' infiltrated

Apple patches iPhone and macOS flaws under active attack

High-value targets tend to get hit

GPT-3 'prompt injection' attack causes bad bot manners

Also, EA goes kernel-deep to stop cheaters, PuTTY gets hijacked by North Korea, and more.

Admins run into Group Policy problems after Win10 update

Scratch Patch ... it's Rip Tuesday: Users complain that Microsoft’s KB5017308 breaks desktop shortcuts

Microsoft fixes Windows security hole likely widely exploited by miscreants

Plus: Nasty no-auth RCE in TCP/IP stack, Adobe flaws, and many more updates

Oracle Cloud at one point would let you access any other customer's data

chmod a+rw at hyperscale

Stop us if you've heard this one before: Exchange Server zero-day being actively exploited

Remember this next time Microsoft talks about how seriously it takes security

Matrix chat encryption sunk by five now-patched holes

You take the green pill, you'll spend six hours in a 'don't roll your own crypto' debate