CISA warns that Palo Alto Networks’ PAN-OS is currently under active attack and should be patched immediately.
The software that operates Palo Alto Networks’ firewalls is under attack, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn public and federal IT security teams to apply available patches. Federal agencies are urged to implement a patch by September 9th.
According to Palo Alto Networks, adversaries attempted to exploit a critical flaw (CVE-2022-0028) that was patched earlier this month. The vulnerability could be exploited by remote hackers to launch reflected and amplified denial-of-service (DoS) attacks against targeted systems without having to authenticate themselves.
Palo Alto Networks asserts that the vulnerability can only be exploited on a small number of systems under specific conditions and that the vulnerable systems are not a part of a standard firewall configuration. Additional exploits of the vulnerability have either not occurred or not been publicly reported.
Products and OS Versions Affected
Affected products include PA-Series, VM-Series, and CN-Series devices running the PAN-OS firewall software. PAN-OS before 10.2.2-h2, PAN-OS before 10.1.6-h6, PAN-OS before 10.0.11-h1, PAN-OS before 9.1.14-h4, PAN-OS before 9.0.16-h3, and PAN-OS before 8.1.23-h1 are vulnerable to attack and have available patches.
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (DDoS) attacks, according to a Palo Alto Networks advisory. The DoS attack appears to have originated from a PA-Series (hardware), VM-Series (virtual), or CN-Series (container) firewall from Palo Alto Networks against an attacker-specified target.”
The advisory describes the vulnerable non-standard configuration as “the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external network interface.”
The advisory stated that the configuration was likely not intended by the network administrator.
CISA Includes Flaw in KEV Catalog
CISA added the Palo Alto Networks flaw to its catalog of known exploitable vulnerabilities on Monday.
The CISA Known Exploited Vulnerabilities (KEV) Catalog is a curated list of exploited vulnerabilities. Also included is a list of KEVs that the agency “strongly recommends” public and private organizations pay close attention to to “prioritize remediation” and “reduce the likelihood of compromise by known threat actors.”
Reflective and Amplified Denial of Service (DoS) Attacks
The increase in the peak size of volumetric attacks is one of the most remarkable changes in the DDoS landscape. Attackers continue to use reflection/amplification techniques to maximize the scale of their attacks by exploiting vulnerabilities in DNS, NTP, SSDP, CLDAP, and other protocols.
Reflected and amplified denial-of-service attacks are not new and have become increasingly prevalent over time.
Distributed denial of service attacks, which are designed to render websites inaccessible by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a significant obstacle for businesses of all types. Being knocked offline has negative effects on revenue, customer service, and basic business operations, and it is worrisome that the bad actors behind these attacks are refining their methods to become more effective over time.
In contrast to DDoS attacks with a limited volume, reflective and amplified DoS attacks can generate much greater volumes of disruptive traffic. This type of attack enables an adversary to increase the volume of malicious traffic they generate while concealing the attack traffic’s sources. An HTTP-based DDoS attack, for instance, sends bogus HTTP requests to a target’s server, tying up resources and preventing users from accessing a specific website or service.
A TCP attack, which is believed to have been used in the recent attack on Palo Alto Networks, occurs when an attacker sends a spoofed SYN packet to a range of random or pre-selected reflection IP addresses, with the source IP replaced by the victim’s IP address. The services at the reflection address respond to the victim of the spoofing attack with an SYN-ACK packet. If the victim fails to respond, the reflection service will repeatedly retransmit the SYN-ACK packet, resulting in amplification. The amount of amplification depends on the attacker-defined number of SYN-ACK retransmissions by the reflection service.