Palo Alto Networks Firewalls, VPNs Vulnerable to OpenSSL Bug

Palo Alto Networks

US cybersecurity firm Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN and XDR products are vulnerable to a very serious OpenSSL infinite loop bug disclosed three weeks ago.

Threat actors could exploit this vulnerability (tracked as CVE-2022-0778) to trigger a denial of service state and cause devices to crash remotely with unpatched software.

Although the OpenSSL team released a patch two weeks ago when it made the bug public, customers will have to wait until later this month (the week of April 18) when Palo Alto Networks plans to release security updates.

“PAN-OS, GlobalProtect app and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is affected by this vulnerability. For PAN-OS software this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Get access to customers,” the company said.

“This vulnerability has reduced the severity of the Cortex XDR agent and the GlobalProtect app, as successful exploitation requires an attacker-in-the-middle attack (MITM).”

The bug affects PAN-OS 8.1 and later releases and all versions of the GlobalProtect app and Cortex XDR agent.

The cybersecurity vendor added that this vulnerability does not affect its Prisma Cloud and Cortex XSOAR products.

Restriction available for some customers

While hotfixes for PAN-OS are still in development, customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to block known attacks for this vulnerability and “reduce the risk of being exploited by known exploits”.

Fortunately, even if proof-of-concept exploits are available online, Palo Alto Networks has no evidence of exploiting this issue on any of its products.

While attackers can exploit the OpenSSL infinite loop flaw in low-complexity attacks without user interaction, the OpenSSL team says the impact of successful exploitation is limited to triggering a denial of service.

The flaw isn’t too difficult to exploit, but its impact is limited to DoS. The most common scenario where exploiting this flaw would be a problem would be a TLS client accessing a malicious server that has a problematic certificate. offers,” an OpenSSL spokesperson told BleepingComputer.

“TLS servers can be affected if they use client authentication (which is a less common configuration) and a malicious client tries to connect to it. It’s hard to guess how far this will translate into active exploitation.”

Last week, QNAP, the maker of Network-Attached Storage (NAS), also warned customers that this OpenSSL DoS bug affects most of its NAS devices, with a patch to be released as soon as possible.

This post Palo Alto Networks Firewalls, VPNs Vulnerable to OpenSSL Bug

was original published at “https://www.bleepingcomputer.com/news/security/palo-alto-networks-firewalls-vpns-vulnerable-to-openssl-bug/”