CISA issues warning on active exploitation of Palo Alto Networks PAN-OS flaw

Tracked as CVE-2022-0028, this high-severity vulnerability has been assigned a CVSS score of 8.6

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a security vulnerability impacting Palo Alto Networks' PAN-OS to its Known Exploited Vulnerabilities (KEV) catalogue and warned that the flaw has been actively exploited in attacks.

All organisations that are part of the Federal Civilian Executive Branch (FCEB) must patch this newly-disclosed vulnerability by September 12, 2022, according to a directive from CISA.

In order to reduce the risk of known exploitable bugs across US government networks, FCEB agencies are expected to protect their systems against weaknesses that are added to the KEV Catalogue, under a legally enforceable operational directive (BOD 22-01) released by CISA in the month of November.

The PAN-OS security flaw, tracked as CVE-2022-0028, is a high-severity risk with CVSS score of 8.6.

Palo Alto Networks said in a security advisory on August 12 that they learned about the issue after receiving a warning about a reflected and amplified denial-of-service (RDoS) attack that was attempted via one of their products.

The company described the bug as a PAN-OS URL filtering policy misconfiguration issue, which could enable a network-based attacker to launch RDoS attack without having to authenticate.

The attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewall against a target chosen by the attacker.

In order for it to be exploited by an outside attacker, the firewall configuration must include a URL filtering profile with one or more prohibited categories assigned to a security rule with a source zone that has an externally visible network interface.

"If exploited, this issue would not impact the confidentiality, integrity, or availability of our products," Palo Alto Networks said in its advisory.

"However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack."

CVE-2022-0028 affects the following PAN-OS versions that run PA-Series, VM-Series, and CN-Series devices:

• PAN-OS 10.2 (version prior to 10.2.2-h2)
• PAN-OS 10.1 (version prior to 10.1.6-h6)
• PAN-OS 10.0 (version prior to 10.0.11-h1)
• PAN-OS 9.1 (version prior to 9.1.14-h4)
• PAN-OS 9.0 (version prior to 9.0.16-h3)
• PAN-OS 8.1 (version prior to 8.1.23-h1)

The vulnerability has been fixed as part of upgrades made available this month, and according to Palo Alto Networks, it does not affect Panorama M-Series or Panorama virtual appliances.

Last week, CISA also added seven new actively exploited security flaws, including a critical SAP bug, to its KEV catalogue.

The SAP vulnerability, tracked as CVE-2022-22536, was fixed as part of SAP's Patch Tuesday updates for February 2022 and was given the risk score of 10.0 on the CVSS vulnerability ranking system.

Recently reported vulnerabilities from Google (CVE-2022-2856) and Apple (CVE-2022-32893, and CVE-2022-32894), as well as previously known Microsoft-related flaws (CVE-2022-21971 and CVE-2022-26923) were also added.

A remote code execution bug (CVE-2017-15944) in Palo Alto Networks PAN-OS, which was uncovered in 2017 and received a CVSS score of 9.8, was another addition to the KEV catalogue last week.