August 23, 2022
A Denial-of-Service Attack was disclosed for Palo Alto Firewall Software PAN-OS. By Configuring the Affected Palo Alto Firewall in a Certain Manner, it can be used as one of the sources or the “source” for a Denial-of-Service Attack. The Misconfiguration can be set by the Administrator of the Firewall. The Vulnerability has been rated High by The Common Vulnerability Scoring System (CVSS) which is an open framework for communicating the characteristics and severity of software vulnerabilities
Palo Alto said in a Security Advisory, that they recently learned that an attempted Reflected Denial-of-Service (RDoS) attack was identified by a service provider. The attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks.
Palo found that a PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.
The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.
This is how it works the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.
According to Palo Alto Networks, “This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator… If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. “
Palo Alto said that they had taken prompt action to address this issue in our PAN-OS software. All PAN-OS software updates for this issue are now available. They also said, “This issue does not impact Panorama M-Series or Panorama virtual appliances have been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.
There are workarounds to prevent the denial-of-service (DoS) attacks that result from this issue in certain Palo Alto Networks firewalls, with this policy configuration.
All PAN-OS software updates for this issue are now available.
The Palo Alto issued the following Security Advisory, you can find it below.0