US CISA Warns of Bug in Palo Alto's Firewall SoftwareAgency Tells Federal Government to Patch Misconfiguration by Sept. 12
A warning from Palo Alto that a vulnerability in its products was used to launch an attempted distributed denial of service attack is prompting the U.S. government to give federal agencies until Sept. 12 to ensure they've applied a fix.
See Also: Next-Generation Firewall Buyer’s Guide
The company says a threat actor attempted to launch a DDoS attack on an unidentified target by taking advantage of a misconfiguration allowing attackers to bounce internet traffic off a Palo Alto firewall and onto a third party.
The U.S. Cybersecurity and Infrastructure Security Agency added the exploit its catalog of actively exploited vulnerabilities along with assigning federal civilian executive branch agencies a mid-September remediation date.
The vulnerability is tracked as CVE-2022-0028 and has a CVSS score of 8.6. It affects six versions of PAN-OS and hardware, virtual and container-based Palo Alto firewalls.
Palo Alto characterizes the exploit as a "misconfiguration" but says it nonetheless released a software update. A successful attack is unlikely to impact Palo Alto products' confidentiality, integrity or availability, it says. "However, the resulting DoS attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack," it says.
The exploit only works under certain conditions. The exploit takes advantage of URL filtering that displays a "Web Page Blocked" message to users protected by the firewall when they attempt to load a forbidden webpage. The misconfiguration comes when that filtering activity response is triggered outside the firewall zone, Roman Lara, a DDoS analyst with Netscout, tells Information Security Media Group. Palo Alto did not respond to an ISMG inquiry.
An attacker spoofing the IP address of the victim could send a request for a firewall-blocked web address causing the firewall's web page blocked response to overwhelm the victim's bandwidth. Generally, only protected zone users should receive the firewall-generated automated response. "That's why it's a misconfiguration," he says.
The vulnerability is one of a type of CWE-406 - a bug that occurs when attackers can cause a system to generate large volumes of traffic through a small internet message.
Organizations can also implement a workaround to ensure the vulnerability isn't exploited.