Posted on August 14, 2022 at 8:37 AM
A high-severity denial of services vulnerability on Palo Alto Network has been exploited by threat actors looking to launch DDoS attacks.
The bug tracked as CVE-2022-0028, has been given a severity rating of 8.6 out of 10. According to the report on the situation, the vulnerability affects the PAN-OS, which is the Palo Alto operating system and is used by the company’s hardware products.
With the flaw, a threat actor can enlist a Palo Alto Networks PAN-OS device for DDoS attacks. They can conceal the original IP of the hacker and make it very difficult for the victims to remedy the situation. Hackers can use the attacks for different malicious behaviors, including extortion or disruption of the victim’s business operations.
According to Palo Alto Networks, the vulnerability was discovered after the company was informed that one o the devices was used as part of a reflected denial-of-service (RDoS) attack. This means that the vulnerability is actively used in attacks. But the company noted that CVE-2022-0028 doesn’t affect the products’ confidentiality, availability, or integrity. This means that the attack is only limited to DDoS.
Conditions For A Successful Exploit
The vulnerability PAN-OS versions run inside CN-Series, VM-Series, and PA-Series devices. However, the exploit is only successful when some conditions are met.
The security policy on the firewall that enables traffic to move from one zone to the other includes a URL filtering profile with several blocked categories.
Between Zone A and Zone B, packet-based attack protection isn’t enabled in the former, which has an activation threshold of 0 connections.
Also, flood protection against DDoS via SYN cookies is not enabled in a Zone protection profile for Zone A. The report noted that the initial firewall configuration is not normal, which generally leads to an administration error. This means that the number of vulnerable endpoints is insignificant.
Update To The Vulnerability Has Been Applied
The URL filtering policies are meant to be triggered when a user within a protected network request to visit disallowed or dangerous sites on the internet, according to the advisory.
Such type of URL filtering is not meant to be utilized in other directions for traffic that come from the internet to the protected network. In this direction, URL filtering offers no benefits. As a result, any firewall configuration that does this is probably intentional and is seen as a misconfiguration. The misconfiguration requires being remotely used in a PAN-OS device to carry out RDoS attacks. However, Palo Alto Networks has applied the update to prevent it from being exploited internally and remotely.
While there is no security update available for most PAN-OS versions, system admins have been advised to make sure that at least one of the three requirements is not met. Since hackers can exploit the vulnerabilities when the three prerequisites are met, admins can prevent the attack by preventing one or more of the requirements.
The Bug Is Caused By URL Filtering Policy Misconfiguration
The vendor has recommended that the operators apply a packet-based attack protection workaround to mitigate the problem. To help administrators, the vendor has provided a dialed technical guide.
The vulnerability is caused by a URL filtering policy misconfiguration that enables a threat actor with access to a network to carry out amplified and reflected TCP denial-of-service attacks.
Last month, the Palo Alto Networks security team stated that the heavy use of software bugs corresponds with the opportunistic behavior of threat actors. The security team provided an Incident Response Report that gives several insights from Unit 42 Palo Alto’s extensive incident response (IR).
Real Estate And Finance Are The Most Affected Industries
The security team leveraged a sampling of more than 600 Unit 42 IR cases to help security teams and CISOs understand the highest security risks they face. The report will also enable them to prioritize their resources to minimize the risks.
The report noted that real estate and finance are among the industries that are most affected the most as they received the most ransomware demands. The Unit 42 report stated that real estate and finance have an average demand of nearly $5.2 million and $8 million, respectively.
Overall, ransomware and business email compromise (BEC) was discovered to be the highest incident types that the response team responded to over the past year. According to the report, it responded to about 70% of the incident response cases.