Firewall Vulnerability Being Exploited, CISA Issues Warning

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to public and federal IT security teams to apply available fixes to software running Palo Alto Networks’ firewalls that are under active attack. Earlier this month, Palo Alto Networks issued a fix for the high-severity bug (CVE-2022-0028) that it says adversaries attempted to exploit. The flaw could be used by remote hackers to carry out reflected and amplified denial-of-service (DoS) attacks without having to authenticate targeted systems.

Affected Products and OS Versions

Affected products include those running Palo Alto Networks’ PAN-OS firewall software include PA-Series, VM-Series, and CN-Series devices. PAN-OS versions vulnerable to attack, with patches available, include PAN-OS prior to 10.2.2-h2, PAN-OS prior to 10.1.6-h6, PAN-OS prior to 10.0.11-h1, PAN-OS prior to 9.1.14-h4, PAN-OS prior to 9.0.16-h3, and PAN-OS prior to 8.1.23-h1.

Misconfiguration of PAN-OS URL filtering policy allows a network-based attacker to conduct reflected and amplified TCP denial-of-service attacks, the company said in an advisory.

The Configuration at Risk

The advisory describes the non-standard configuration at risk as the “firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external-facing network interface,” calling it “likely unintended by the network administrator.”

CISA Warning

On Monday, CISA added the Palo Alto Networks bug to its list of Known Exploited Vulnerabilities Catalog. The CISA Known Exploited Vulnerabilities (KEV) Catalog is a curated list of flaws that have been exploited in the wild. It is also a list of KEVs that the agency “strongly recommends” public and private organizations pay close attention to in order to “prioritize remediation” to “reduce the likelihood of compromise by known threat actors.”

Amplified and Reflected Denial-of-Service Attacks

Reflective and amplified denial-of-service attacks have become increasingly more common over the years. Distributed denial-of-service attacks continue to pose a significant challenge to businesses of all stripes. Unlike limited-volume distributed denial-of-service attacks, reflective and amplified denial-of-service attacks can produce much higher volumes of disruptive traffic.

An HTTP-based distributed denial-of-service attack sends junk HTTP requests to a target’s server, tying up resources and locking out users from using a particular site or service. A TCP attack, believed used in the recent Palo Alto Networks attack, is when an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a range of random or pre-selected reflection IP addresses.

Recommendations

In light of the recent attack on Palo Alto Networks’ PAN-OS, the need for updated and secure network configurations has never been more vital. Companies that rely on PAN-OS should install the available patches and implement best security practices, such as isolating vulnerable systems, keeping operating systems up-to-date, and conducting regular vulnerability scans to identify potential threats. Additionally, network administrators should be vigilant in monitoring traffic, particularly HTTP requests and TCP traffic, for signs of unusual traffic flows or suspicious activity.

In conclusion, the vulnerability has once again exposed the urgent need for organizations to have robust security measures in place to protect themselves against growing cyber threats. Therefore, it is crucial that companies take proactive steps to safeguard their networks, and software vendors must quickly issue patches for identified vulnerabilities.