Palo Alto Networks devices affected by CVE-2022-0778 OpenSSL bug

Palo Alto Networks addressed a high-severity OpenSSL infinite loop vulnerability, tracked as CVE-2022-0778, that affects some of its firewall, VPN, and XDR products.

In Mid March, OpenSSL released updates to address a high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2022-0778, that affects the BN_mod_sqrt() function used when certificate parsing. The flaw was discovered by the popular Google Project Zero researchers Tavis Ormandy.

An attacker can trigger the vulnerability by crafting a malformed certificate with invalid explicit curve parameters.

According to Palo Alto Networks, the CVE-2022-0778 vulnerability can be exploited by remote attackers to trigger a denial of service condition and crash vulnerable devices. The security vendor is expected to release security patches for the above vulnerability this month.

Even though the OpenSSL team released a patch two weeks ago when it publicly disclosed the bug, customers will have to wait until later this month (during the week of April 18) when Palo Alto Networks plans to release security updates.

“PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers,” the company said.

“This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires an attacker-in-the-middle attack (MITM).”

The bug impacts PAN-OS 8.1 and later releases and all versions of GlobalProtect app and Cortex XDR agent.

The cybersecurity vendor added that this vulnerability does not impact its Prisma Cloud and Cortex XSOAR products.

Mitigation available for some customers

While PAN-OS hotfixes are still in development, customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to block known attacks for this vulnerability and “reduce the risk of exploitation from known exploits.”

Luckily, even if proof-of-concept exploits are available online, Palo Alto Networks has no evidence of exploitation of this issue on any of its products.

Although attackers can abuse the OpenSSL infinite loop flaw in low complexity attacks without user interaction, the OpenSSL team says the impact of successful exploitation is limited to triggering a denial of service.

“The flaw is not too difficult to exploit, but the impact is limited to DoS. The most common scenario where exploitation of this flaw would be a problem would be for a TLS client accessing a malicious server that serves up a problematic certificate,” an OpenSSL spokesperson told BleepingComputer.https://ba773f525c8527ddd67773da13a5e5d0.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html

“TLS servers may be affected if they are using client authentication (which is a less common configuration) and a malicious client attempts to connect to it. It is difficult to guess to what extent this will translate to active exploitation.”

Last week, network-attached storage (NAS) maker QNAP also warned customers that this OpenSSL DoS bug impacts most of its NAS devices, with a patch to be released as soon as possible.

Please vote Security Affairs as best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Palo Alto Networks devices affected by CVE-2022-0778 OpenSSL bug appeared first on Security Affairs.