Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability in URL Filtering

A vulnerability exists in Palo Alto Networks PAN-OS URL filtering policy that could enable a network-based attacker to perform reflected and amplified TCP denial-of-service (RDoS) attacks. This issue affects PA-Series hardware firewalls, VM-Series virtual firewalls, and CN-Series container firewalls. The vulnerability arises from a misconfiguration where a URL filtering profile with blocked categories is assigned to a source zone with an external facing interface. Such a configuration is atypical for URL filtering and is likely unintended. When exploited, the denial-of-service attack can obscure the attacker's identity, making it appear as though the Palo Alto firewall is the source of the attack.

Impact

Exploitation of this vulnerability allows for reflected and amplified TCP denial-of-service attacks, where the attack appears to originate from the affected firewall, potentially implicating it as the source of the attack.

Remediation

This vulnerability has been addressed in PAN-OS versions 8.1.23-h1, 9.0.16-h3, 9.1.14-h4, 10.0.11-h1, 10.1.6-h6, and 10.2.2-h2. All PAN-OS software updates for this issue are now available. For firewalls using Aporeto software, wait for and install a fixed version of PAN-OS software.