CyFlare SOC Advisory – Palo Alto Firewall Bug Exploit
Incident Report for CyFlare
Posted Date: 9/6/2022

Source(s): US Cybersecurity and Infrastructure Agency (CISA)

Sector: Security Vulnerability

Reported by: CISA

Date(s) Issued: 03 September 2022

Subject: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

Threat actors can exploit a bug in the PAN-OS operating system that runs the firewalls, allowing ability to deploy DDoS attacks

PAN-OS operating systems

Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.


A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.

To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator.

If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.


For the newly exploited PAN-OS bug, patches are available in the following versions:
• PAN-OS 8.1.23-h1
• PAN-OS 9.0.16-h3
• PAN-OS 9.1.14-h4
• PAN-OS 10.0.11-h1
• PAN-OS 10.1.6-h6
• PAN-OS 10.2.2-h2
• And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.

To prevent denial-of-service (DoS) attacks resulting from this issue from all sources, you can configure your Palo Alto Networks firewalls by enabling one of two zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile:

1. Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)


2. Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.
Developing Situation:

The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.

Reference Links:

Should you have any questions or concerns please place a ticket with the SOC using or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Posted Sep 06, 2022 - 09:48 EDT
This incident affects: Breach Detection Service.