How to Fix CVE-2022-0028- A Reflected DoS Vulnerability in PAN-OS

This month, a well-known firewall manufacturer, Palo Alto published a security advisory in that it detailed a high severity reflected DoS vulnerability in PAN-OS of multiple firewall modules. The flaw that has been tracked under CVE-2022-0028 is a high severity Reflected Denial of Service vulnerability affecting PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewall modules. The vendor noted that the flaw doesn’t impact the confidentiality, integrity, and availability in anyways, but it can enable the attacker to hide his identity while carrying out the attack. In other words, the vulnerability makes the firewall lose its ability to track the source of the attack. It is necessary to fix the CVE-2022-0028 vulnerability as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) marked that this flaw is actively being exploited in the wild and added this flaw to its Known Exploited Vulnerabilities Catalog.

Let’s see how to fix CVE-2022-0028, a reflected DoS vulnerability in PAN-OS along with the devices affected, root cause, implications, and a couple of workarounds for those who can’t apply the fix on a priority basis. However, we have included a short note about the PAN-OS and reflected DoS attacks to make it easy for you to understand the vulnerability.

A Short Note About The PAN-OS:

The Palo Alto Networks Operating System (PAN-OS) is a security-focused operating system that runs on all of the company’s next-generation firewalls. It offers a number of features designed to improve security, including:

PAN-OS is constantly updated with the latest security threats, making it an effective way to keep your network safe.

What is a Reflected Denial of Service Attack?

A reflected denial of service (RDoS) attack is a type of DoS attack in which the attacker sends a request to a server, and the server responds by sending a large number of requests to the victim. This can overwhelm the victim’s resources, causing the victim’s system to crash or become unavailable. Reflected DoS attacks are often used in conjunction with other types of attacks, such as distributed denial of service (DDoS) attacks.

Reflected DoS attacks are typically more difficult to carry out than other types of DoS attacks because the attacker must first find a vulnerable server that will respond to his or her requests. However, once a vulnerable server is found, a reflected DoS attack can be very effective at taking down a victim’s system.

Summary of CVE-2022-0028

http://thesecmaster.com/what-is-a-denial-of-service-attack-how-to-prevent-denial-of-service-attacks/It is a reflected DoS vulnerability in PAN-OS. The issue stemmed from the misconfiguration of the URL filtering policy in the vulnerable versions of the firewall. The vendor noted that the flaw doesn’t impact the confidentiality, integrity, and availability in anyways. However, it may help attackers to obfuscate the identity of the attacker and implicate the firewall as the source of the attack.

As per the advisory, to exploit the vulnerability the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external-facing network interface.

Attackers can exploit the firewalls only when these configurations are true.

The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories;ANDPacket-based attack protection is not enabled in a Zone Protection profile for Zone A including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open);ANDFlood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.

– Palo Alto Networks

When the firewall is in the above configuration, it leads to the network amplification condition. In this condition, the firewall would lose its ability to distinguish between legitimate traffic and the traffic intended to serve as an amplifying attack. Resulting, the firewall will lose its control over the volume of transmitted network traffic. In such a condition, the firewall would transmit the traffic on behalf of the client (Attacker). This enables the attacker to transmit more traffic than set to be allowed. This causes a Denial of Service situation. 

Versions Affected by CVE-2022-0028

This Reflected Denial of Service vulnerability affects PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewall modules running the below PAN-OS versions.

How to Fix CVE-2022-0028- A Reflected DoS Vulnerability in PAN-OS?

Palo Alto addressed this vulnerability by releasing the patch if you want to fix the CVE-2022-0028 vulnerability, update PAN-OS to the latest release or PAN-OS 8.1.23-h1, PAN-OS 9.0.16-h3, PAN-OS 9.1.14-h4, PAN-OS 10.0.11-h1, PAN-OS 10.1.6-h6, PAN-OS 10.2.2-h2 versions. 

If you are not in a position to fix the flaw anytime soon, you can go with one of the workarounds. These workarounds protect your firewall from being exploited by attackers. 

Workaround 1: See the configuration settings in the summary section that allows attackers to exploit the flaw. Inverting the configuration will protect your firewall from being exploited by attackers. 

Workaround 1: Either enable Packet-based attack protection or Flood protection on all Security zones with an assigned Security policy that includes a URL filtering profile. Choosing one over another protection is critical to know. 

The packet-based attack protection workaround will prevent the firewall from establishing TCP sessions in impacted zones when the TCP SYN packet contains data in the three-way handshake for a TCP session. Please note that this workaround may disrupt applications that use TCP Fast Open in the zone. If you instead decide to enable the flood protection workaround, first make sure you understand how enabling SYN cookies will change traffic flow in the impacted zones.
– Palo Alto Networks

We hope this post would help you know how to fix cve-2022-0028- a reflected dos vulnerability in PAN-OS. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.