Rewterz Threat Advisory – CVE-2022-0778 – OpenSSL Flaw Affecting Palo Alto Devices

Severity

High

Analysis Summary

CVE-2022-0778

OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition.

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

The Prisma Cloud and Cortex XSOAR products are not impacted by this vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires an attacker-in-the-middle attack (MITM): 5.9 Medium

Impact

• Denial of Service

Indicators Of Compromise

CVE

• CVE-2022-0778

Affected Vendors

• Palo Alto
• Node.js

Affected Products

• Palo Alto Cortex XDR Agent (all)
• PAN-OS 10.1.5-h1 version and earlier
• PAN-OS 10.0.10 version and earlier
• PAN-OS 10.2.1 version and earlier
• PAN-OS 9.1.13-h3 version and earlier
• PAN-OS 9.0.16-hf version and earlier
• PAN-OS 8.1.23 version and earlier
• OpenSSL 1.1.1
• Node.js 12
• Node.js 14.0
• Node.js 16.0
• Node.js 17.0
• OpenSSL 1.0.2
• OpenSSL 3.0.0

Remediation

Refer to the vendor websites to upgrade to the fixed and patched versions here:

OpenSSL vulnerability

Palo Alto Vulnerability