Palo Alto Networks has revealed that cybercriminals are targeting the firewalls from different vendors to pull off a reflected amplification denial-of-service (RDoS) attack. According to the report, hackers also targeted firewalls of Palo Alto’s proprietary PAN-OS.

Discussing the attacks

Threat actors attempted to abuse CVE-2022-0028 vulnerability in PAN-OS firewalls.
  • The flaw occurs due to a misconfiguration in the PAN-OS URL filtering policy. Its exploitation allows an attacker to carry out reflected and amplified TCP DoS attacks.
  • Additionally, the DoS attack seems to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewall against a target specified by an attacker.

Preconditions for flaw exploitation

  • The vulnerability exploitation requires certain conditions, such as configurations not typical for URL filtering.
  • The firewall configuration must have a URL filtering profile with one or more blocked categories given to security rules with a source zone having an external facing network interface.

What to do?

To prevent exploitation, users are suggested to remove the URL filtering policy that leads to this vulnerability. Further, enable a security feature between packet-based attack protection and flood protection on network firewalls. However, the vulnerability has been addressed by the firm in the PAN-OS 10.1 version.
Cyware Publisher

Publisher

Cyware