High-Risk DoS Vulnerability (CVE-2022-0028) in Palo Alto PAN-OS Firewall
Palo Alto Networks PAN-OS vulnerability CVE-2022-0028 (CVSS score 8.6) could lead to a mirrored, amplified TCP DoS attack. Learn which versions are affected and how to mitigate the risk.
2024-01-18
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Critical DoS Vulnerability (CVE-2022-0028) in Palo Alto Networks PAN-OS Firewall
A serious denial of service (DoS) vulnerability impacting Palo Alto Networks devices with a CVSS score of 8.6 (CVE-2022-0028) is creating potential security risks. Affecting hardware, virtual, and containerized firewall series (PA, VM, and CN), this flaw stems from an incorrect setting in PAN-OS URL filtering policies that can allow network-based attackers to launch mirrored and amplified TCP DoS attacks.
The PAN-OS DoS vulnerability does not compromise confidentiality, integrity, or availability of Palo Alto's devices directly. However, it poses a high risk as it enables attackers to mask their identity by making the firewall appear as the origin of the attack, which can obscure the attack’s true source and significantly impede incident response and threat attribution efforts.
Which PAN-OS Versions Are Vulnerable to CVE-2022-0028?
The CVE-2022-0028 vulnerability impacts Palo Alto Networks PAN-OS versions, as listed below, with updates made available by Palo Alto on August 15, 2022. The affected PAN-OS versions are as follows:
- PAN-OS 10.2: <10.2.2-h2 (Patched in version 10.2.2-h2)
- PAN-OS 10.1: <10.1.6-h6 (Patched in version 10.1.6-h6)
- PAN-OS 10.0: <10.0.11-h1 (Patched in version 10.0.11-h1)
- PAN-OS 9.1: <9.1.14-h4 (Patched in version 9.1.14-h4)
- PAN-OS 9.0: <9.0.16-h3 (Patched in version 9.0.16-h3)
- PAN-OS 8.1: <8.1.23-h1 (Patched in version 8.1.23-h1)
Understanding the Nature of CVE-2022-0028 and the Risks
This DoS vulnerability is unusual because it originates from a URL filtering policy misconfiguration within PAN-OS. When URL filtering is improperly configured, the firewall can inadvertently process TCP requests in such a way that it mirrors and amplifies traffic against a designated target.
Palo Alto Networks Recommendations and Mitigation Steps
To protect against this vulnerability, Palo Alto Networks recommends users update to the latest PAN-OS patches. The patches that address CVE-2022-0028 specifically adjust URL filtering settings to prevent the conditions that allow a mirrored TCP DoS attack.
For PAN-OS users, Palo Alto provides the following immediate steps for mitigation:
- Update PAN-OS Versions: Upgrading to the patched PAN-OS versions listed above will close the vulnerability.
- Review URL Filtering Policies: Ensure URL filtering policies are configured securely and appropriately. Regular audits can help identify potential misconfigurations that could lead to similar issues.
- Use Threat Intelligence and Monitoring Tools: Leverage threat intelligence to monitor for signs of unusual firewall activity that could indicate abuse by attackers. Tracking atypical traffic patterns can help you quickly detect any attempts to exploit vulnerabilities within firewall configurations.
In particular, this vulnerability allows attackers to use the PAN-OS firewall itself as part of the attack. By doing so, they can point the TCP DoS attack toward a specified target while using the Palo Alto device to amplify and reflect this malicious traffic. This not only masks the true origin but also implicates the firewall itself as the source, creating confusion for security response teams.
For those managing high-stakes or highly exposed systems, consider Palo Alto’s Keepnet Human Risk Management Platform for thorough monitoring of user actions and behavior that could expose security gaps.
For a complete breakdown on best practices in security awareness, Palo Alto Networks offers the Keepnet Labs Security Awareness Training that guides IT and security teams through essential security configurations to prevent exploitable scenarios like this.
Implications for Security Teams and the Importance of Proactive Patching
Proactive vulnerability management and fast patching cycles are crucial for staying ahead of these types of threats. Even a minor misconfiguration can quickly escalate into an exploitable vulnerability if it allows attackers to leverage enterprise infrastructure for malicious activities. In the case of CVE-2022-0028, allowing attackers to disguise their actions through your infrastructure not only adds security risk but also could damage the organization’s reputation as the true source of the attack.
Security Awareness and Proactive Defense
Security awareness is an essential complement to effective patch management. Investing in solutions like Phishing Simulators and Awareness Educators enables users to recognize signs of malicious activity while ensuring that IT teams maintain best practices for network defenses. Read more on the role of security awareness training in reducing human error for deeper insights into proactive defense.
For more insights into Denial of Service (DoS) attack prevention, explore Palo Alto’s dedicated blog posts on incident response for DoS attacks and threat response management for complex environments.
Editor’s note: This blog was updated November 12, 2024
SHARE ON