Cybersecurity Alert: CISA Warns of Active Firewall Bug Attack on Palo Alto Networks’ PAN-OS

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert that Palo Alto Networks’ PAN-OS is currently being targeted and requires immediate patching.

The software that powers Palo Alto Networks’ firewalls is currently facing a cyberattack. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to all public and federal IT security teams, encouraging them to implement the available solutions. All federal departments have been advised to rectify the issue by September 9.

Just a few weeks ago, Palo Alto Networks rolled out a solution for a critical vulnerability (CVE-2022-0028) they claim was targeted by malicious entities. This loophole could enable cybercriminals from afar to initiate amplified and reflected denial-of-service (DoS) assaults, bypassing the need for system authentication.

Palo Alto Networks asserts that the vulnerability can only be manipulated in a handful of systems and under specific circumstances. Moreover, the systems prone to this flaw are not commonly associated with firewall configurations. As of now, there have been no further attacks leveraging this bug, or at least none that have been openly disclosed.

Impacted Products and Operating System Releases

The products at risk are those running the firewall software PAN-OS, including the PA-Series, VM-Series, and CN-Series devices. The vulnerable PAN-OS versions that have available patches are those earlier than 10.2.2-h2, 10.1.6-h6, 10.0.11-h1, 9.1.14-h4, 9.0.16-h3, and 8.1.23-h1.

Per the guidance shared by Palo Alto Networks, there’s a potential issue where an incorrect setup in the PAN-OS URL filtering policy might grant a network-oriented attacker the ability to execute both reflected and amplified TCP denial-of-service (RDoS) attacks. Such an attack would seemingly come from Palo Alto Networks’ PA-Series (hardware), VM-Series (virtual), or CN-Series (container) firewall, directed towards a target specified by the attacker.

The guidance identifies the unconventional setup that’s vulnerable as a “firewall setup that should possess a URL filtering profile with one or several barred categories linked to a security regulation that has a source zone with an outwardly directed network interface.”

The advisory suggests that the network administrator probably did not intend for this configuration.

CISA Incorporates Glitch into KEV Index

On Monday, CISA incorporated the Palo Alto Networks glitch into its Known Exploited Vulnerabilities Index.

The Catalog of Known Exploited Vulnerabilities (KEV) by CISA is essentially a carefully compiled record of defects that have been manipulated in real-world scenarios. Moreover, it’s a list of KEVs that the agency emphatically advises both public and private entities to keep a vigilant eye on, with the aim to “prioritize remediation.” This is done in an effort to minimize the possibility of falling prey to recognized cyber threats.

Mirrored and Boosted DoS Assaults

A significant trend in the DDoS scene is the escalation in the maximum scale of volumetric assaults. Cybercriminals persistently use mirrored/boosted methods to manipulate weaknesses in DNS, NTP, SSDP, CLDAP, Chargen, among other protocols, to amplify the impact of their attacks.

The phenomena of reflected and amplified denial-of-service attacks aren’t exactly recent developments and their prevalence has been progressively increasing over time.

Distributed denial of service (DDoS) assaults, aimed at disrupting websites by saturating domains or specific app infrastructures with enormous traffic, persist as a significant hurdle for all kinds of businesses. When thrown offline, the effects on income, customer support, and fundamental business operations are significant. Alarmingly, those orchestrating these attacks are refining their strategies, becoming increasingly effective as time passes.

In contrast to DDoS attacks that have a restricted volume, reflective and amplified DoS assaults can create a significantly larger quantity of disruptive internet traffic. This attack style enables a foe to boost the quantity of harmful traffic they can produce while simultaneously masking the origins of the said traffic. Consider the example of an HTTP-based DDoS assault, where unnecessary HTTP requests are sent to a target’s server. This action consumes resources and effectively bars users from accessing a specific website or service.

In the context of a TCP assault, which is presumed to have been employed in the recent Palo Alto Networks breach, the culprit sends a falsified SYN packet. The original source IP gets swapped with the IP address of the target and is then transmitted to an array of randomly chosen or pre-selected reflection IP addresses. The services situated at the reflection addresses respond by sending a SYN-ACK packet back to the spoofed attack’s unsuspecting victim. If the targeted party fails to reply, the reflection service persists in re-sending the SYN-ACK packet, leading to a boost in its impact. The scale of this boost hinges on the number of SYN-ACK retransmissions made by the reflection service, a factor that the attacker can control.

Site Footer