Source(s): US Cybersecurity and Infrastructure Agency (CISA)
Sector: Security Vulnerability
Reported by: CISA
Date(s) Issued: 03 September 2022
Subject: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.
OVERVIEW Threat actors can exploit a bug in the PAN-OS operating system that runs the firewalls, allowing ability to deploy DDoS attacks
SYSTEMS AFFECTED: PAN-OS operating systems
RISK: Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.
THREAT SUMMARY:
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.
To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator.
If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.
Mitigation:
For the newly exploited PAN-OS bug, patches are available in the following versions: • PAN-OS 8.1.23-h1 • PAN-OS 9.0.16-h3 • PAN-OS 9.1.14-h4 • PAN-OS 10.0.11-h1 • PAN-OS 10.1.6-h6 • PAN-OS 10.2.2-h2 • And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.
To prevent denial-of-service (DoS) attacks resulting from this issue from all sources, you can configure your Palo Alto Networks firewalls by enabling one of two zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:
1. Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)
OR
2. Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections. Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.