Palo Alto Networks Devices Running the PAN-OS Could Allow Attacker to Launch DoS Attack
A excessive severity impart tracked as (CVE-2022-0028), CVSS rating of 8.6, in Palo Alto Networks devices running the PAN-OS would possibly maybe perhaps well perhaps allow an attacker to begin Denial-of-Carrier (DoS) assault.
The difficulty stems from a Palo Alto Networks PA-Sequence (hardware), VM-Sequence (digital), and CN-Sequence (container) firewall against an attacker-specified target. There was as soon as a misconfiguration in the PAN-OS URL filtering protection that enables a network-basically based fully mostly attacker to assemble Reflected and Amplified TCP DoS assaults.
“If exploited, this impart would no longer affect the confidentiality, integrity, or availability of our products. Alternatively, the resulting denial-of-service (DoS) assault would possibly maybe perhaps well perhaps additionally support obfuscate the identification of the attacker and implicate the firewall because the availability of the assault”, reads the advisory published by Palo Alto Networks.
Product Set
VERSIONS | AFFECTED | UNAFFECTED |
Cloud NGFW | None | All |
PAN-OS 10.2 | < 10.2.2-h2 | >= 10.2.2-h2 (ETA: week of August 15, 2022) |
PAN-OS 10.1 | < 10.1.6-h6 | >= 10.1.6-h6 |
PAN-OS 10.0 | < 10.0.11-h1 | >= 10.0.11-h1 (ETA: week of August 15, 2022) |
PAN-OS 9.1 | < 9.1.14-h4 | >= 9.1.14-h4 (ETA: week of August 15, 2022) |
PAN-OS 9.0 | < 9.0.16-h3 | >= 9.0.16-h3 (ETA: week of August 15, 2022) |
PAN-OS 8.1 | < 8.1.23-h1 | >= 8.1.23-h1 (ETA: August 15, 2022) |
Prisma Derive entry to 3.1 | None | All |
Prisma Derive entry to 3.0 | None | All |
Prisma Derive entry to 2.2 | None | All |
Prisma Derive entry to 2.1 | None | All |
Machine Update Available in the market
Palo Alto Networks has launched a security update to take care of a vulnerability in PAN-OS firewall configurations. The company recognized workarounds to remain the denial-of-service (DoS) assaults that consequence from this impart in obvious Palo Alto Networks firewalls, with this protection configuration.
This impart is fastened in PAN-OS 10.1.6-h6 and all later PAN-OS versions for PA-Sequence, VM-Sequence, and CN-Sequence firewalls. The company anticipates releasing all PAN-OS tool updates for this impart no later than the week of August 15, 2022.
Mitigation
To lead determined of denial-of-service (DoS) assaults as a result of this impart from all sources, it is instructed to configure your Palo Alto Networks firewalls by enabling one amongst the two-zone protection mitigations on all Safety zones with an assigned Safety protection that involves a URL filtering profile:
- Packet-basically based fully mostly assault protection including both (Packet Basically based Assault Protection > TCP Fall > TCP SYN with Recordsdata) and (Packet Basically based Assault Protection > TCP Fall > Strip TCP Alternate suggestions > TCP Immediate Birth);
(Or) 2. Flood protection (Flood Protection > SYN > Motion > SYN Cookie) with an activation threshold of 0 connections.
Also, Download a Free Pointers for Securing Your Endeavor Community Here.
Source credit : cybersecuritynews.com