Scroll Top
19th Ave New York, NY 95822, USA

CISA: high-severity PAN-OS DDoS flaw used in attacks


A recent vulnerability found in Palo Alto Networks’ PAN-OS has been added to the catalog of Known Exploitable Vulnerabilities from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The security issue is a high-severity risk identified as CVE-2022-0028 that allows a remote threat actor to deploy reflected and amplified denial-of-service (DoS) attacks without having to authenticate.

Certain conditions apply

Several PAN-OS versions powering PA-Series, VM-Series, and CN-Series devices are vulnerable to CVE-2022-0028 and Palo Alto Networks has released patches for all of them.

While exploiting the flaw can only cause a DoS condition on the affected device, it has already been used for at least one attack.

In a security advisory on August 12, Palo Alto Networks says that they became aware of the issue after receiving an alert about an attempted reflected denial-of-service (RDoS) attack through one of its products.

According to the vendor, a threat actor exploiting the issue could hide their original IP address, making remediation a more difficult task.


CISA is warning federal agencies that they should apply available fixes by September 9 and is using the following summary to describe it:

A Palo Alto Networks PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks.

Palo Alto Networks that CVE-2022-0028 is exploitable only under certain conditions, which are not part of a common firewall configuration:

  • The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories
  • Packet-based attack protection is not enabled in a Zone Protection profile for Zone A, including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open)
  • Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections

If organizations with vulnerable devices cannot apply the most recent updates immediately, they can use the following guide from the vendor as a workaround until fixes can be installed.

The current catalog of Known Exploitable Vulnerabilities from CISA lists 802 security issues that organizations around the world could use to improve their defenses.


Related Posts