On Wednesday, American cybersecurity firm Palo Alto Networks warned customers that sure firewalls, VPN, and XDR products are susceptible to a highly severe OpenSSL infinite loop vulnerability disclosed last week.
Attackers can take advantage of this security flaw (tracked in CVE-2022-0778) to cause an unauthorized service status and remotely cause a device to crash due to unpatched software.
Although the OpenSSL team released an update two weeks ago when they made public the issue, the affected customers must wait until the end of the month (during Easter weekend, which is April 18,) at which point Palo Alto Networks plans to issue security updates.
“PAN-OS, GlobalProtect app and Cortex XDR agent software contain an insecure edition of the OpenSSL library. The availability of the product is affected by this flaw. For PAN-OS software, this encapsulates the hardware and virtual firewalls and Panorama appliances, as and Prisma Access clients,” the company said.
“This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires an attacker-in-the-middle attack (MITM).”
The issue is affecting the PAN-OS 8.1 and later versions and every version of the GlobalProtect app and the Cortex XDR Agent.
The cybersecurity vendor said this vulnerability is not affecting its Prisma Cloud or Cortex XSOAR products.
Mitigation available for some customers
Although PAN-OS hotfixes remain in development, customers who have Threat Prevention subscriptions can turn on Threat IDs 92409 or 92411 to block known attacks that exploit this vulnerability. They also “reduce the chance of being exploited through known exploits.”
Luckily, even though proof-of-concept exploits are accessible on the internet, Palo Alto Networks does not have evidence of any exploitation of this issue in its products.
While attackers can exploit this OpenSSL endless loop security flaw to create attacks of low complexity without involvement, the OpenSSL team believes that the effect of exploiting the flaw is restricted to causing a denial service.
“The flaw isn’t hard to find. However, the effect is restricted to DoS. The most typical scenario in which the flaw could be an issue could be the TLS client that connects to an untrusted server that provides a certificate that is not valid,” an OpenSSL spokesperson spoke to BleepingComputer.
“TLS servers could be affected if they’re employing client authentication (which is a different configuration) and malicious clients attempt to connect to them. It’s hard to know how much this could lead to an active exploit.”
The previous week, network-attached-storage (NAS) producer QNAP also informed customers that this OpenSSL DoS bug impacts most of its NAS devices and that an update will be released within the shortest time possible.