Palo Alto Networks has revealed that cybercriminals are targeting the firewalls from different vendors to pull off a reflected amplification denial-of-service (RDoS) attack. According to the report, hackers also targeted firewalls of Palo Alto’s proprietary PAN-OS.
Discussing the attacks
Threat actors attempted to abuseCVE-2022-0028 vulnerability in PAN-OS firewalls.
The flaw occurs due to a misconfiguration in the PAN-OS URL filtering policy. Its exploitation allows an attacker to carry out reflected and amplified TCP DoS attacks.
Additionally, the DoS attack seems to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewall against a target specified by an attacker.
Preconditions for flaw exploitation
The vulnerability exploitation requires certain conditions, such as configurations not typical for URL filtering.
The firewall configuration must have a URL filtering profile with one or more blocked categories given to security rules with a source zone having an external facing network interface.
What to do?
To prevent exploitation, users are suggested to remove the URL filtering policy that leads to this vulnerability. Further, enable a security feature between packet-based attack protection and flood protection on network firewalls. However, the vulnerability has been addressed by the firm in the PAN-OS 10.1 version.