When exploited, your firewall could be used to attack other networks.
Background
CISA warns that a Distributed Denial of Service (DDoS) vulnerability impacting Palo Alto firewalls is being exploited by threat actors. This is a vulnerability impacting Palo Alto PAN-OS firewalls, likely due to unintended misconfigurations in the firewall policy.
An attacker can perform a reflected and amplified DDoS attack against an intended victim—one of the most severe DDoS attacks possible. Though it requires very specific policy misconfigurations, attention from CISA means the misconfigurations are likely more common than it may appear.
Vulnerability Details
This week, CISA added CVE-2022-0028 (CVSSv3 8.6 – High) to its catalog of known and exploited vulnerabilities, after the vulnerability was originally disclosed back on August 10th. The vulnerability impacts PAN-OS PA-Series (hardware), VM-Series (Virtual) and CN-Series (Container) firewalls.
The Distributed Denial of Service (DDoS) attack is “reflected,” meaning attacks appear to originate from vulnerable devices instead of from the attacker’s network. It is also amplified, meaning that the victim receives many times more data than sent by the attacker. If a firewall is impacted, devices could be used to perpetuate serious DDoS attacks across the Internet.
Required Policy Misconfiguration
1. The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories;
AND
2. Packet-based attack protection is not enabled in a Zone Protection profile for Zone A including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open);
AND
3. Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.
Mitigation
Apply updates immediately if your configuration is impacted.
According to NVD, Panorama M-Series or Panorama virtual appliances are not impacted. The issue has been resolved for Cloud NGFW and Prisma Access customers.
Resources
- NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2022-0028 - Palo Alto Advisory:
https://security.paloaltonetworks.com/CVE-2022-0028 - CISA Known/Exploited Vulnerabilities Catalog:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog - BleepingComputer Article:
https://www.bleepingcomputer.com/news/security/cisa-is-warning-of-high-severity-pan-os-ddos-flaw-used-in-attacks/