Global Critical Infrastructure Potentially Vulnerable to Reflected Amplification-based Denial-of-Service (RDoS) Attacks
Over the past few weeks, Cyble Research & Intelligence Labs has observed the active exploitation of a recently discovered vulnerability found in the Palo Alto Networks’ PAN-OS operating system that runs the firewalls and could allows a remote Threat Actor (TA) to conduct reflected and amplified TCP denial-of-service (RDoS) attacks against the their target without any authentication.
This high severity risk vulnerability is identified as CVE-2022-0028 with CVSS score of 8.6, can be exploited to help attackers hide their identities and whereabouts while launching both mirrored and amplified DDoS attacks.
This vulnerability was found and added to CISA’s Known Exploited Vulnerabilities Catalog on August 8, 2022.
According to a security advisory by a vendor, the exploitation of this issue does not impact the product’s confidentiality, integrity, or availability. Regardless, the Denial of Service (DoS) attack may implicate the firewall as the source of the attack and obfuscate the real attacker’s identity.
Configurations required for external exposure
Firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone with an external-facing network interface. This major condition must be met for this vulnerability to be exploited in an external attack.
This vulnerability is only present in PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewalls only when all three of the following conditions are true:
1. The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories.
2. Packet-based attack protection is not enabled in a Zone Protection profile for Zone A, including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open);
3. Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.
Exposed Instances wrt Regions and Industries
Cyble Research & Intelligence Labs discovered over 3,300 instances exposed on an internet scanner with vulnerable PAN-OS versions. However, not all the exposed assets are affected by this vulnerability.
Figure 1 shows the countries with the highest amount of exposed instances.
Our research found that several PAN-OS instances are deployed in organizations dealing in critical infrastructure sectors, as shown in Figure 2. Organizations within the critical sector play a crucial role in the national economy, national security, public health, and safety. An attack on critical sector organizations’ exposed assets can have a devastating impact on nations.
Countermeasures & Recommendations
Enterprises can implement the following measures to secure themselves against the exploitation of this vulnerability:
- Apply the latest security updates to affected devices as released by the vendor.
- If a DoS attack were to take place, consider the following workaround Packet-based attack protection, including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open).
- Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections
- NOTE: It is neither necessary nor advantageous to apply both the attack and flood protections.
- Limit access to remote services through services such as VPNs and other managed remote access systems.
- Limit the exposure of critical assets over the internet by implementing proper network segmentation.
Threat Actors have been actively exploiting this vulnerability since it was discovered early in August 2022. Internet scanners are the TA’s first preference to find any vulnerable assets. Multiple exposed assets that may be vulnerable belong to critical industries. This can cause serious damage if exploited. Although Palo Alto has released patches for every vulnerable version, there may still be some instances that are not patched and can thus be successfully exploited.