Full Report
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.
Analysis Summary
# Vulnerability: Reflected and Amplified DoS in Palo Alto Networks PAN-OS Due to URL Filtering Misconfiguration
## CVE Details
- CVE ID: CVE-2022-0028
- CVSS Score: Not explicitly provided, but described as **high-severity**.
- CWE: Not explicitly provided.
## Affected Systems
- Products: PA-Series, VM-Series, and CN-Series devices running PAN-OS firewall software.
- Versions:
- PAN-OS prior to 10.2.2-h2
- PAN-OS prior to 10.1.6-h6
- PAN-OS prior to 10.0.11-h1
- PAN-OS prior to 9.1.14-h4
- PAN-OS prior to 9.0.16-h3
- PAN-OS prior to 8.1.23-h1
- Configurations: A specific, non-standard configuration is required: The firewall configuration **must** have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external-facing network interface.
## Vulnerability Description
The vulnerability is a flaw in PAN-OS URL filtering that allows a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. If exploited, the DoS attack would appear to originate from the affected Palo Alto Networks firewall (PA-Series, VM-Series, or CN-Series) against an attacker-specified third-party target. This allows the attacker to magnify malicious traffic while obscuring the true source of the attack.
## Exploitation
- Status: **Actively exploited in the wild** (Added to CISA KEV catalog).
- Complexity: Not explicitly stated, but RDoS attacks generally require low to medium complexity to initiate, especially when reflection vectors are known.
- Attack Vector: **Network** (Remote, unauthenticated access required to trigger the reflection).
## Impact
- Confidentiality: Not specified (Primary impact is service disruption).
- Integrity: Not specified (Primary impact is service disruption).
- Availability: **High** (The vulnerability enables reflected and amplified DoS attacks, designed to overwhelm and take services offline).
## Remediation
### Patches
The following versions contain the available fixes:
- PAN-OS 10.2.2-h2 and later
- PAN-OS 10.1.6-h6 and later
- PAN-OS 10.0.11-h1 and later
- PAN-OS 9.1.14-h4 and later
- PAN-OS 9.0.16-h3 and later
- PAN-OS 8.1.23-h1 and later
### Workarounds
No official workarounds were explicitly detailed in the provided text, as the immediate recommendation is to patch. The vulnerability is contingent on a specific, likely unintended, misconfiguration involving URL filtering profiles assigned to security rules with external-facing source zones.
## Detection
- Indicators of Compromise: Attacks manifest as high-volume, reflected TCP denial-of-service traffic appearing to originate *from* the affected firewall towards an external target.
- Detection methods and tools: Organizations should monitor outbound traffic from firewalls for unusual, massive SYN/SYN-ACK patterns indicative of reflection/amplification attacks originating from their assets.
## References
- Vendor Advisories: security dot paloaltonetworks dot com/CVE-2022-0028
- Other Relevant Links: cisa dot gov/known-exploited-vulnerabilities-catalog