CISA Urges Immediate Patching of Palo Alto Networks PAN-OS Vulnerability Exploited in Active Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to both public and federal IT security teams, highlighting that Palo Alto Networks’ PAN-OS software, which powers its firewalls, is currently under active exploitation. The agency is strongly urging all affected organizations to apply available security patches immediately to mitigate the risk of compromise. Federal agencies have been specifically tasked with patching this critical vulnerability by September 9th.

This directive follows a recent advisory from Palo Alto Networks concerning a high-severity bug, identified as CVE-2022-0028. Adversaries have been actively attempting to exploit this flaw, which, if successful, could allow remote attackers to launch reflected and amplified denial-of-service (DoS) attacks without requiring any form of authentication on targeted systems.

While Palo Alto Networks has indicated that the exploitability of this vulnerability is limited to specific, non-standard configurations and a subset of their systems, the active exploitation in the wild, as confirmed by CISA, elevates the urgency of remediation. The company maintains that the vulnerable configurations are not typical and that any further attacks exploiting this specific bug have either not occurred or have not been publicly disclosed.

Understanding the Vulnerability: CVE-2022-0028

The vulnerability, officially cataloged as CVE-2022-0028, stems from a misconfiguration within the PAN-OS URL filtering policy. According to Palo Alto Networks’ official advisory, this misconfiguration "could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks." Crucially, the DoS attack would appear to originate from a Palo Alto Networks firewall (specifically PA-Series hardware, VM-Series virtual appliances, and CN-Series containerized solutions) but would be directed at a target chosen by the attacker.

The specific non-standard configuration at risk involves a firewall setup where a URL filtering profile, containing one or more blocked categories, is assigned to a security rule. This rule must also be associated with a security zone that has an externally facing network interface. Palo Alto Networks emphasizes that this configuration is likely unintended by network administrators, suggesting a lapse in standard security practices or oversight.

CISA’s Escalation: Inclusion in the Known Exploited Vulnerabilities Catalog

The severity and active exploitation of CVE-2022-0028 prompted CISA to take swift action by adding this vulnerability to its highly significant Known Exploited Vulnerabilities (KEV) Catalog on Monday. The KEV Catalog is a curated list of cybersecurity flaws that have demonstrably been exploited in real-world attacks. Inclusion in this catalog signifies that CISA "strongly recommends" that both public and private sector organizations prioritize remediation efforts for these vulnerabilities. The agency’s objective with the KEV Catalog is to reduce the likelihood of successful compromises by known threat actors.

This inclusion means that federal agencies, as per the Binding Operational Directive 22-01, are mandated to patch the identified vulnerabilities within specific timeframes. The September 9th deadline for this Palo Alto Networks vulnerability underscores the immediate threat perceived by CISA. For private organizations, while not legally binding in the same way, CISA’s recommendation serves as a critical alert to prioritize patching these actively exploited flaws.

Affected Products and Operating System Versions

The vulnerability impacts a range of Palo Alto Networks’ widely deployed firewall products that run the PAN-OS software. Specifically, the following product lines are affected:

• PA-Series devices (hardware firewalls)
• VM-Series devices (virtual firewalls)
• CN-Series devices (containerized firewalls)

Palo Alto Networks has released patches for various versions of PAN-OS. Organizations are urged to update to the following versions or later to address CVE-2022-0028:

• PAN-OS versions prior to 10.2.2-h2
• PAN-OS versions prior to 10.1.6-h6
• PAN-OS versions prior to 10.0.11-h1
• PAN-OS versions prior to 9.1.14-h4
• PAN-OS versions prior to 9.0.16-h3
• PAN-OS versions prior to 8.1.23-h1

The company’s advisory provides detailed technical information for administrators to assess their configurations and apply the necessary updates.

The Mechanics of Reflected and Amplified Denial-of-Service (RDoS) Attacks

Understanding the nature of reflected and amplified DoS attacks is crucial to grasping the threat posed by CVE-2022-0028. These attacks are not new to the cybersecurity landscape and have become increasingly sophisticated and prevalent over the years. They represent a significant evolution in the Distributed Denial of Service (DDoS) attack domain, particularly in their capacity to generate massive volumes of disruptive traffic.

At their core, RDoS attacks exploit vulnerabilities in various network protocols and services to magnify the attacker’s initial, relatively small, malicious traffic into a much larger flood directed at a victim. This amplification is achieved by using intermediary servers or devices that, when queried with a spoofed source IP address (that of the intended victim), respond with significantly larger data packets or a high volume of responses.

Commonly exploited protocols for reflection and amplification include DNS (Domain Name System), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), CLDAP (Connectionless Lightweight Directory Access Protocol), and Chargen, among others.

In the context of CVE-2022-0028, the attack vector involves TCP. An attacker initiates the process by sending a spoofed SYN packet to a range of IP addresses that act as reflectors. The critical element is that the source IP address in this SYN packet is not the attacker’s but is replaced with the IP address of the intended victim.

When these reflection servers receive the spoofed SYN packet, they attempt to establish a TCP connection by sending a SYN-ACK packet back to the victim’s IP address. If the victim does not respond as expected (because it did not initiate the original request), the reflection service, depending on its configuration and protocol, may continue to retransmit the SYN-ACK packet. This repeated retransmission significantly amplifies the amount of traffic sent to the victim. The attacker can further manipulate the scale of this amplification by selecting reflectors that are known to have high amplification factors or by targeting a large number of such reflectors.

One of the key advantages for attackers using RDoS techniques is the obfuscation of their own identity. By spoofing the victim’s IP address as the source, the traffic appears to originate from the victim itself, making it difficult for network defenders to trace the attack back to its true source. This complexity in attribution adds another layer of challenge for incident responders.

Broader Implications of the Vulnerability and CISA’s Warning

The fact that a leading firewall vendor like Palo Alto Networks has a vulnerability being actively exploited is a significant concern for organizations globally. Firewalls are fundamental components of network security infrastructure, acting as the first line of defense against external threats. A compromise in firewall software can have far-reaching consequences, potentially allowing attackers to bypass other security controls, gain unauthorized access to internal networks, or disrupt critical services.

The current threat landscape is characterized by increasingly sophisticated and persistent adversaries. Organizations that fail to keep their security infrastructure patched and up-to-date are prime targets. The inclusion of CVE-2022-0028 in CISA’s KEV Catalog serves as a stark reminder that attackers are actively scanning for and exploiting known vulnerabilities.

Supporting Data and Context:

• DDoS Attack Trends: Reports from cybersecurity firms consistently show an upward trend in the frequency, volume, and sophistication of DDoS attacks. For instance, Akamai’s State of the Internet report has often highlighted the growth in peak attack volumes, with some attacks reaching hundreds of gigabits per second or even terabits per second. Reflection and amplification techniques are a primary driver of these massive attack volumes.
• Ransomware and DDoS Synergy: Increasingly, attackers are employing DDoS attacks as a tactic to pressure victims into paying ransoms. Disrupting a victim’s online services can inflict significant financial and reputational damage, making them more amenable to paying cybercriminals to halt the attack or restore services.
• Supply Chain Risks: Vulnerabilities in widely used security products like firewalls represent a significant supply chain risk. A compromise at the vendor level can impact thousands or even millions of downstream customers. This underscores the importance of vendor security practices and diligent patching by end-users.

Chronology of Events (Inferred and Reported)

While a precise timeline of the initial discovery and exploitation of CVE-2022-0028 is not publicly detailed, the sequence of events leading to CISA’s warning can be inferred as follows:

1. Vulnerability Discovery: Palo Alto Networks likely discovered the vulnerability internally or through responsible disclosure from a security researcher.
2. Patch Development: Upon discovery, Palo Alto Networks engineers developed and tested a fix for the vulnerability.
3. Vendor Advisory and Patch Release: Palo Alto Networks issued an advisory detailing the vulnerability (CVE-2022-0028) and released patches for affected PAN-OS versions, likely in early August 2022, given the September 9th deadline set by CISA.
4. Active Exploitation Observed: Cybersecurity intelligence sources and potentially Palo Alto Networks itself detected active attempts by threat actors to exploit CVE-2022-0028 in the wild.
5. CISA Notification and KEV Inclusion: Based on the observed exploitation, CISA was alerted to the threat. This led to the inclusion of CVE-2022-0028 in the KEV Catalog on Monday, August 29, 2022.
6. CISA Directive Issued: Following the KEV inclusion, CISA issued its urgent warning and Binding Operational Directive 22-01, mandating federal agencies to patch by September 9th and strongly recommending immediate action for all organizations.

Expert Analysis and Broader Impact

The current situation highlights several critical aspects of modern cybersecurity:

• The Persistent Threat of DDoS: Despite advances in defensive technologies, DDoS attacks, especially amplified and reflected variants, remain a potent weapon in the attacker’s arsenal. The ease with which these attacks can be launched, combined with their disruptive potential, ensures their continued popularity.
• Importance of Configuration Management: The vulnerability’s reliance on a specific, unintended misconfiguration underscores the vital importance of robust configuration management and regular security audits. Even with secure software, improper setup can create significant security gaps.
• Proactive Patching is Non-Negotiable: CISA’s repeated emphasis on patching known exploited vulnerabilities, particularly through its KEV Catalog, reinforces the principle that proactive vulnerability management is a cornerstone of effective cybersecurity. Waiting for an attack to occur before patching is a reactive and often costly strategy.
• Vendor Responsibility and Transparency: Palo Alto Networks’ swift response in issuing a fix and advisory demonstrates a commitment to product security. However, it also serves as a reminder that even leading vendors can have vulnerabilities, necessitating continuous vigilance from both vendors and their customers.

Organizations that utilize Palo Alto Networks firewalls should consider this a critical incident response situation. A thorough inventory of all deployed PAN-OS versions and their configurations is paramount. Prioritizing the application of the released patches, even outside of the federal mandate, is essential to protect against the ongoing threat of active exploitation. Failure to do so could lead to significant operational disruptions, data breaches, and reputational damage. The ongoing evolution of cyber threats demands a constant state of readiness and a commitment to maintaining the highest security hygiene.