Palo Alto Networks alerted to DoS vulnerability in routers

Palo Alto Networks has turned up a vulnerability in its routers, and in its advisory warns that other vendors’ kit may also be exposed.

In disclosing CVE-2022-0028, which makes some of its devices vulnerable to Reflected Amplification Denial-of-Service (DoS) attacks, Palo Alto Networks said a recent attack against a service provider “took advantage of susceptible firewalls from multiple vendors”.

The bug received a Common Vulnerability Scoring System severity of High, at 8.6, but is only activated under a specific configuration.

The company explained its PAN-OS URL filtering could be exploited to create the DoS condition, if “a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.”

The vulnerability also depends on specific configurations of packet-based attack protection, and flood protection via SYN cookies.

“This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator”, the advisory stated.

The router itself isn’t at risk, the company said, but “the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.”

Several PAN-OS versions in the version 8.1, 9.0, 9.1, 10.0, 10.1, and 10.2 series are vulnerable, while the company’s Prisma Access and Cloud NGFW software are not.

Some of the fixes are already available, and the company said all fixes should have rolled out by August 15.

For users who aren’t ready to deploy the update, the vulnerability can be mitigated by checking a system’s configuration.

“To prevent denial-of-service (DoS) attacks resulting from this issue from all sources, you can configure your Palo Alto Networks firewalls by enabling one of two zone protection mitigations on all Security zones with an assigned Security policy that includes a URL filtering profile”, the advisory stated, with details of the correct filtering profile.

Admins could alternatively enable flood protection “with an activation threshold of 0 connections”.