cbcvebase.
CVE-2022-0028
published 2022-08-10

CVE-2022-0028: A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks…

PriorityP279high8.6CVSS 3.1
AVNACLPRNUINSCCNINAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-09-12
Exploited in the wild
EPSS
2.04%
78.7th percentile
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.

Affected

21 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.0 < 10.0.11-h110.0.11-h1
palo_alto_networkspan-os>= 10.1 < 10.1.6-h610.1.6-h6
palo_alto_networkspan-os>= 10.2 < 10.2.2-h210.2.2-h2
palo_alto_networkspan-os>= 8.1 < 8.1.23-h18.1.23-h1
palo_alto_networkspan-os>= 9.0 < 9.0.16-h39.0.16-h3
palo_alto_networkspan-os>= 9.1 < 9.1.14-h49.1.14-h4
paloaltocloud_ngfw
paloaltopan-os
paloaltoprisma_access
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os>= 10.0.0 < 10.0.1110.0.11
paloaltonetworkspan-os>= 10.1.0 < 10.1.610.1.6
paloaltonetworkspan-os>= 10.2.0 < 10.2.210.2.2
paloaltonetworkspan-os>= 8.1.0 < 8.1.238.1.23
paloaltonetworkspan-os>= 9.0.0 < 9.0.169.0.16
paloaltonetworkspan-os>= 9.1.0 < 9.1.149.1.14

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable configuration: URL filtering profile with one or more blocked categories assigned to a security rule where the source zone has an external-facing network interface — this enables abuse for reflected/amplified TCP DoS
  • The DoS traffic will appear to originate FROM the PAN-OS firewall (PA-Series, VM-Series, CN-Series) toward an attacker-specified target — hunt for anomalous outbound TCP flood traffic sourced from firewall interfaces
  • Attack vector is network-based (no authentication required); monitor for unexpected high-volume TCP traffic initiated by the firewall itself toward external destinations as an indicator of exploitation
  • ·Only PAN-OS firewalls with a URL filtering profile containing blocked categories assigned to a security rule whose source zone has an external-facing interface are exploitable; this is described as an atypical/unintended configuration
  • ·Panorama M-Series and Panorama virtual appliances are NOT affected by this CVE
  • ·Cloud NGFW and Prisma Access customers are already remediated and require no action
  • ·Fixed versions: PAN-OS 8.1.23-h1, 9.0.16-h3, 9.1.14-h4, 10.0.11-h1, 10.1.6-h6, 10.2.2-h2, and all later versions for PA-Series, VM-Series, and CN-Series firewalls
  • ·Workaround: remove URL filtering blocked-category assignments from security rules where the source zone is external-facing; additionally, enabling zone protection mitigations on all security zones with an external-facing interface can block DoS from all sources

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.