Free Demo

Trending

Report: Global Cybersecurity Report 2025          Report: Europe Threat Landscape Report 2025          Report: APAC Cyber Threat Landscape Report 2025          Report: North America Cyber Threat Landscape Report 2025          Report: META Threat Landscape Report 2025          Recognition: Cyble Recognized in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2025          Recognition: Cyble Named a Sample Vendor in Gartner® Hype Cycle™ for Managed IT Services 2025         
Report: Global Cybersecurity Report 2025          Report: Europe Threat Landscape Report 2025          Report: APAC Cyber Threat Landscape Report 2025          Report: North America Cyber Threat Landscape Report 2025          Report: META Threat Landscape Report 2025          Recognition: Cyble Recognized in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2025          Recognition: Cyble Named a Sample Vendor in Gartner® Hype Cycle™ for Managed IT Services 2025         
HomeBlog
Palo Alto Recognizes Vulnerability Impacting PAN-OS® (CVE-2022-0028)
Cyble_PaloAlto

Palo Alto Recognizes Vulnerability Impacting PAN-OS® (CVE-2022-0028)

Cyble Research & Intelligence Labs analyzes recent Threat Actor behavior exploiting the Palo Alto Networks Vulnerability to target exposed assets on the internet.

Global Critical Infrastructure Potentially Vulnerable to Reflected Amplification-based Denial-of-Service (RDoS) Attacks

Introduction

Over the past few weeks, Cyble Research & Intelligence Labs has observed the active exploitation of a recently discovered vulnerability found in the Palo Alto Networks’ PAN-OS operating system that runs the firewalls and could allows a remote Threat Actor (TA) to conduct reflected and amplified TCP denial-of-service (RDoS) attacks against the their target without any authentication.

This high severity risk vulnerability is identified as CVE-2022-0028 with CVSS score of 8.6, can be exploited to help attackers hide their identities and whereabouts while launching both mirrored and amplified DDoS attacks.

 Technical Analysis

This vulnerability was found and added to CISA’s Known Exploited Vulnerabilities Catalog on August 8, 2022.

According to a security advisory by a vendor, the exploitation of this issue does not impact the product’s confidentiality, integrity, or availability. Regardless, the Denial of Service (DoS) attack may implicate the firewall as the source of the attack and obfuscate the real attacker’s identity.

Configurations required for external exposure

Firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone with an external-facing network interface. This major condition must be met for this vulnerability to be exploited in an external attack.

This vulnerability is only present in PA-Series (hardware), VM-Series (virtual), and CN-Series (container) firewalls only when all three of the following conditions are true:

report-ad-banner

1. The security policy on the firewall that allows traffic to pass from Zone A to Zone B includes a URL filtering profile with one or more blocked categories.

2. Packet-based attack protection is not enabled in a Zone Protection profile for Zone A, including both (Packet Based Attack Protection > TCP Drop > TCP Syn With Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open);

3. Flood protection through SYN cookies is not enabled in a Zone Protection profile for Zone A (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections.

Exposed Instances wrt Regions and Industries

Cyble Research & Intelligence Labs discovered over 3,300 instances exposed on an internet scanner with vulnerable PAN-OS versions. However, not all the exposed assets are affected by this vulnerability.

Figure 1 shows the countries with the highest amount of exposed instances.

Figure 1 – Country-wise statistics of exposed PAN-OS assets

Our research found that several PAN-OS instances are deployed in organizations dealing in critical infrastructure sectors, as shown in Figure 2. Organizations within the critical sector play a crucial role in the national economy, national security, public health, and safety. An attack on critical sector organizations’ exposed assets can have a devastating impact on nations. 

Figure 2 – Exposed assets of critical industries

Countermeasures & Recommendations

Enterprises can implement the following measures to secure themselves against the exploitation of this vulnerability:

  • Apply the latest security updates to affected devices as released by the vendor.
  • If a DoS attack were to take place, consider the following workaround Packet-based attack protection, including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open).
  • Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections
  • NOTE: It is neither necessary nor advantageous to apply both the attack and flood protections.
  • Limit access to remote services through services such as VPNs and other managed remote access systems.
  • Limit the exposure of critical assets over the internet by implementing proper network segmentation.

Conclusion

Threat Actors have been actively exploiting this vulnerability since it was discovered early in August 2022. Internet scanners are the TA’s first preference to find any vulnerable assets. Multiple exposed assets that may be vulnerable belong to critical industries. This can cause serious damage if exploited. Although Palo Alto has released patches for every vulnerable version, there may still be some instances that are not patched and can thus be successfully exploited.

Reference:

Palo Alto Security Advisory

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.
why cyble

Get Threat Assessment Report

Identify External Threats Targeting Your Business​
Get My Report
Free
Cyble Vision

Threat Landscape Reports 2025

Global cybersecurity report
Europe cyber landscape
APAC Cyber Threat Landscape
North America Cyber Threat Landscape Report
META Threat Landscape
Australia New Zealand threat report

Upcoming Webinars

global-webinar-banner
Stay-Ahead-of-Cyber-Threats
CISO's Guide to Threat Intelligence 2024

CISO’s Guide to Threat Intelligence 2024: Best Practices

Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free E-Book Now

Cyble | Amazon Music
Azure-MP-logo
google-ad-cyble
Share the Post:

Related Posts

Scroll to Top

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading