⚠ Actively exploited
Added to CISA KEV on 2022-08-22. Federal agencies required to patch by 2022-09-12. Required action: Apply updates per vendor instructions..

CVE-2022-0028Insufficient Control of Network Message Volume (Network Amplification) in Palo Alto Networks Pan-os

CWE-406Insufficient Control of Network Message Volume (Network Amplification)CWE-940Improper Verification of Source of a Communication ChannelCWE-400Uncontrolled Resource Consumption6 documents6 sources
Severity
8.6HIGHNVD
EPSS
4.7%
top 10.65%
CISA KEV
KEV
Added 2022-08-22
Due 2022-09-12
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Palo Alto Networks Pan-osPaloaltonetworks Pan-osPaloalto Cloud Ngfw+2 more
Timeline
PublishedAug 10
KEV addedAug 22
KEV dueSep 12
CISA Required Action: Apply updates per vendor instructions.

Description

A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages5 packages

NVDpaloaltonetworks/pan-os8.1.08.1.23+11
CVEListV5palo_alto_networks/pan-os8.18.1.23-h1+5
Palo Altopaloalto/pan-os

🔴Vulnerability Details

3
GHSA
GHSA-r3j6-h9rm-9q33: A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) at2022-08-11
CVEList
PAN-OS: Reflected Amplification Denial-of-Service (DoS) Vulnerability in URL Filtering2022-08-10
VulnCheck
Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability2022

📋Vendor Advisories

2
CISA
Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability2022-08-22
Palo Alto
PAN-OS: Reflected Amplification Denial-of-Service (DoS) Vulnerability in URL Filtering2022-08-10
CVE-2022-0028 — Palo Alto Networks Pan-os vulnerability | cvebase