CVE-2022-0028

Warning

EPSS 4.44%
Published 10.08.2022 16:15:08
Last modified 07.02.2025 15:03:58
Source psirt@paloaltonetworks.com
Teams watchlist Login
Open Login

A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.

Affected products Warnungen 1 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Paloaltonetworks ≫ Pan-os Version >= 8.1.0 < 8.1.23

Paloaltonetworks ≫ Pan-os Version >= 9.0.0 < 9.0.16

Paloaltonetworks ≫ Pan-os Version >= 9.1.0 < 9.1.14

Paloaltonetworks ≫ Pan-os Version >= 10.0.0 < 10.0.11

Paloaltonetworks ≫ Pan-os Version >= 10.1.0 < 10.1.6

Paloaltonetworks ≫ Pan-os Version >= 10.2.0 < 10.2.2

Paloaltonetworks ≫ Pan-os Version8.1.23 Update-

Paloaltonetworks ≫ Pan-os Version9.0.16 Update-

Paloaltonetworks ≫ Pan-os Version9.0.16 Updateh2

Paloaltonetworks ≫ Pan-os Version9.1.14 Update-

Paloaltonetworks ≫ Pan-os Version9.1.14 Updateh1

Paloaltonetworks ≫ Pan-os Version10.0.11

Paloaltonetworks ≫ Pan-os Version10.1.6

Paloaltonetworks ≫ Pan-os Version10.1.6 Updateh3

Paloaltonetworks ≫ Pan-os Version10.2.2 Update-

Paloaltonetworks ≫ Pan-os Version10.2.2 Updateh1

22.08.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability

Vulnerability

A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.44%	0.886

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
psirt@paloaltonetworks.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-406 Insufficient Control of Network Message Volume (Network Amplification)

The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.

https://security.paloaltonetworks.com/CVE-2022-0028

Third Party Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-0028

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-0028

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-0028

EUVD