Palo Alto Networks, an American cybersecurity firm, announced on Wednesday that some of its firewall, XDR, and VPN products are susceptible to a high-severity OpenSSL infinite loop problem discovered three weeks ago. Threat actors can use this security flaw (CVE-2022-0778) to cause a denial-of-service condition and crash devices running unpatched software remotely.
Customers should wait until later this month (during the week of April 18) for Palo Alto Networks to issue security upgrades, despite the fact that the OpenSSL team published a fix two weeks ago when it publicly exposed the flaw.
“PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers,” as stated by the company. “This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires an attacker-in-the-middle attack (MITM).”
The vulnerability affects all variants of the GlobalProtect app and the Cortex XDR agent, as well as PAN-OS 8.1 and later releases. According to the cybersecurity firm, this issue does not affect Prisma Cloud or Cortex XSOAR. Customers with Threat Prevention subscriptions can use Threat IDs 92409 and 92411 to prevent known attacks for this vulnerability and “reduce the risk of exploitation from known exploits.” At the same time, hotfixes for PAN-OS are still being developed.
Fortunately, even though proof-of-concept attacks are accessible online, Palo Alto Networks has found no indication of this vulnerability being exploited on any of its devices. Although attackers may abuse the OpenSSL endless loop bug in low-complexity attacks without requiring user input, the OpenSSL team claims that successful exploitation will only result in a denial of service.
Although it only has a DoS effect, the weakness isn’t challenging to exploit. According to an OpenSSL representative, a TLS client visiting a rogue server that gives out a faulty certificate would be the most typical scenario where this weakness would be exploited.
If a hostile client attempts to connect to a TLS server employing client authentication (a less specific option), the server may be compromised. It’s tough to predict how far this will lead to active exploitation. Last week, QNAP, a manufacturer of network-attached storage (NAS), issued a warning to consumers that the OpenSSL DoS problem affects most of its NAS equipment, and a fix will be published soon.
