External risk intelligence

PAN-OS URL Filtering Policy Misconfiguration Allows Denial-of-Service Attacks.

CVE advisoryKnown Exploit

CVE-2022-0028

A misconfiguration in PAN-OS URL filtering policies allows network attackers to conduct denial-of-service attacks, appearing to originate from Palo Alto Networks firewalls. This could obscure attacker identity and implicate the firewall, impacting service availability but not data confidentiality or integrity. Realisti

2Halo Surface Signal

Paloaltonetworks Pan Os

8.1.0 to before 8.1.239.0.0 to before 9.0.169.1.0 to before 9.1.1410.0.0 to before 10.0.1110.1.0 to before 10.1.610.2.0 to before 10.2.28.1.239.0.169.1.1410.0.1110.1.610.2.2

External exposure likelihood

Halo Surface Signal score for CVE-2022-0028

The vulnerability requires a specific, non-typical, and likely unintended URL filtering policy configuration to be applied to an external-facing interface. While the firewall itself may be internet-facing, this specific misconfiguration is not a standard deployment pattern, making broad exploitation less likely in typical environments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A misconfiguration in PAN-OS URL filtering policies can enable a network-based attacker to launch amplified denial-of-service attacks. These attacks would appear to originate from Palo Alto Networks firewalls and target a user-specified destination. Exploitation is possible if a URL filtering profile with blocked categories is applied to a source zone with an external-facing interface. This specific configuration is not typical and is likely unintended by administrators.

  • PAN-OS URL filtering policies
  • Policy misconfiguration allows DoS attacks
  • Facilitates attacker anonymity and misdirection

Attack Path

How an attacker could exploit the issue

A network-based attacker can exploit a PAN-OS URL filtering misconfiguration to launch reflected and amplified denial-of-service attacks. These attacks appear to originate from Palo Alto Networks firewalls but target an attacker-specified destination. This could potentially obscure the attacker's identity and implicate the firewall. Exploitation of this issue does not affect the confidentiality or integrity of affected products.

  • Misconfigured URL filtering policy.
  • Network attacker gains access.
  • Trigger DoS attack.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows a network-based attacker to conduct reflected and amplified denial-of-service (DoS) attacks. These attacks would appear to originate from a Palo Alto Networks firewall, potentially obfuscating the attacker's identity and implicating the firewall as the source. While the vulnerability does not impact the confidentiality or integrity of the affected products, it can lead to a denial-of-service condition for the attacker-specified target.

  • Low attacker skill level.
  • Requires specific firewall misconfiguration.
  • High business risk due to active exploitation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A misconfiguration in PAN-OS URL filtering policies can allow network attackers to launch denial-of-service (DoS) attacks. These attacks appear to originate from Palo Alto Networks firewalls, potentially masking the attacker's true identity. Exploitation would not compromise data confidentiality or integrity but could disrupt service availability and implicate the firewall.

  • Find firewalls with specific URL filtering misconfigurations.
  • Adjust URL filtering policies to mitigate risk.
  • Apply vendor updates, verify changes, and monitor.

Frequently asked questions

What is CVE-2022-0028 and how does it affect Palo Alto Networks PAN-OS?

CVE-2022-0028 is a vulnerability in Palo Alto Networks PAN-OS where a URL filtering policy misconfiguration can allow a network attacker to launch reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack appears to originate from a Palo Alto Networks firewall, targeting an attacker-specified destination.

What is the weakness class associated with CVE-2022-0028?

The weakness class associated with CVE-2022-0028 is CWE-406, which relates to the improper neutralization of input during the generation of dynamic custom error messages. In this specific case, it enables reflected and amplified DoS attacks.

How can CVE-2022-0028 be exploited, and what is the scope of impact?

Exploitation requires a network-based attacker to leverage a specific PAN-OS URL filtering misconfiguration where a URL filtering profile with blocked categories is assigned to a source zone with an external-facing interface. This specific setup is not typical and likely unintended. If exploited, the attack causes a denial-of-service but does not impact the confidentiality or integrity of the products.

What is the relevance of the Halo Surface Signal for CVE-2022-0028?

The Halo Surface Signal indicates that this vulnerability is 'Unlikely' to be broadly exploited. This is because exploitation requires a specific, non-typical, and likely unintended URL filtering policy configuration on an external-facing interface, making widespread misuse less probable in standard environments.

What practical steps should be taken to address CVE-2022-0028?

To address CVE-2022-0028, administrators should identify PAN-OS firewalls with the specific URL filtering misconfiguration. Adjusting these policies to mitigate the risk is crucial. Applying vendor software updates, verifying configuration changes, and continuous monitoring are recommended actions.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified