The high-severity vulnerability (CVE-2022-0028) in Palo Alto Networks firewall software is being actively exploited by attackers, prompting CISA to issue a warning to federal agencies and IT security teams. The agency has urged entities to apply available fixes by September 9, highlighting the urgency of the situation. This call to action underscores the importance of cybersecurity in the context of critical infrastructure and national defense.

The vulnerability allows remote hackers to carry out reflected and amplified denial-of-service (DoS) attacks without needing to authenticate to the targeted systems. Palo Alto Networks has released a fix, but CISA emphasizes the need for immediate action to mitigate the risks associated with the exploitation of this security flaw. Rapid response is crucial to prevent service disruptions and protect sensitive data.

Affected products include those running PAN-OS firewall software, including PA-Series, VM-Series, and CN-Series devices. PAN-OS versions vulnerable to attack, with patches available, include versions prior to 10.2.2-h2, 10.1.6-h6, 10.0.11-h1, 9.1.14-h4, 9.0.16-h3, and 8.1.23-h1. The vulnerability lies in specific URL filtering configurations, where a misconfiguration can allow for reflected and amplified TCP denial-of-service attacks.

According to the Palo Alto Networks advisory, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external-facing network interface. This configuration, often unintended by the network administrator, is the entry point for the attacks.

On Monday, CISA added the Palo Alto Networks vulnerability to its Known Exploited Vulnerabilities Catalog (KEV). The KEV catalog is a curated list of flaws that have been exploited in the real world, and the agency strongly recommends that public and private organizations pay close attention to these vulnerabilities to prioritize remediation and reduce the likelihood of compromise by known threat actors.

Inclusion in the KEV highlights the severity of the vulnerability and the need for immediate action. CISA emphasizes the importance of proactive cybersecurity management to protect critical infrastructure and sensitive data.

Reflected and amplified denial-of-service (DoS) attacks have seen an increase in frequency and sophistication. These attacks leverage vulnerabilities in protocols such as DNS, NTP, and SSDP to maximize the scale of the attack. Unlike limited-volume DoS attacks, reflected and amplified attacks can generate much higher volumes of disruptive traffic.

A TCP attack, as believed to be used in the recent Palo Alto Networks attack, involves sending a spoofed SYN packet with the source IP address replaced by the victim's IP address to a series of reflection IP addresses. The services at these addresses respond with a SYN-ACK packet to the victim, amplifying the attack.

The magnitude of the amplification in a reflected and amplified DoS attack depends on the number of SYN-ACK retransmissions by the reflection service, which can be defined by the attacker. This allows attackers to magnify the amount of malicious traffic generated while obscuring the sources of the attack. The impact of these attacks can be significant, affecting revenue, customer service, and basic business functions.

The ongoing evolution of DoS attack techniques represents a constant challenge for businesses. Effective mitigation requires constant vigilance, the implementation of robust security measures, and rapid response to emerging threats.