CISA is warning of high-severity PAN-OS DDoS flaw used in attacks

A recent vulnerability has been found in Palo Alto Networks’ PAN-OS by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The security issue is a high-severity risk identified as CVE-2022-0028 that allows a remote threat actor to deploy reflected and amplified denial-of-service (DoS) attacks without having to authenticate.

Vulnerability will exploit only if certain conditions apply

• The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories
• Packet-based attack protection is not enabled in a Zone Protection profile for Zone A, including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)
• Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections

Palo Alto Networks has released patches for PA-Series, VM-Series, and CN-Series devices that are vulnerable to CVE-2022-0028

While exploiting the flaw can only cause a DoS condition on the affected device, it has already been used for at least one attack.

If organizations with vulnerable devices cannot apply the most recent updates immediately, they can use the following guide from the OEM as a workaround until fixes can be installed.