American cybersecurity company Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN, and XDR products are vulnerable to a high severity OpenSSL infinite loop bug disclosed three weeks ago.
Threat actors can exploit this security vulnerability (tracked as CVE-2022-0778) to trigger a denial of service state and remotely crash devices running unpatched software.
Even though the OpenSSL team released a patch two weeks ago when it publicly disclosed the bug, customers will have to wait until later this month (during the week of April 18) when Palo Alto Networks plans to release security updates.
“PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers,” the company said.
“This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires an attacker-in-the-middle attack (MITM).”
The bug impacts PAN-OS 8.1 and later releases and all versions of GlobalProtect app and Cortex XDR agent.
The cybersecurity vendor added that this vulnerability does not impact its Prisma Cloud and Cortex XSOAR products.
Mitigation available for some customers
While PAN-OS hotfixes are still in development, customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to block known attacks for this vulnerability and “reduce the risk of exploitation from known exploits.”
Luckily, even if proof-of-concept exploits are available online, Palo Alto Networks has no evidence of exploitation of this issue on any of its products.
Although attackers can abuse the OpenSSL infinite loop flaw in low complexity attacks without user interaction, the OpenSSL team says the impact of successful exploitation is limited to triggering a denial of service.
“The flaw is not too difficult to exploit, but the impact is limited to DoS. The most common scenario where exploitation of this flaw would be a problem would be for a TLS client accessing a malicious server that serves up a problematic certificate,” an OpenSSL spokesperson told BleepingComputer.
“TLS servers may be affected if they are using client authentication (which is a less common configuration) and a malicious client attempts to connect to it. It is difficult to guess to what extent this will translate to active exploitation.”
Last week, network-attached storage (NAS) maker QNAP also warned customers that this OpenSSL DoS bug impacts most of its NAS devices, with a patch to be released as soon as possible.