CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering
Description
PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile.
When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk.
For example:
example.com will match example.com.website.test
example.com.* will match example.com.website.test
example.com.^ will match example.com.test
You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards.
PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 10.1 | < 10.1.3 | >= 10.1.3 |
PAN-OS 10.0 | < 10.0.8 | >= 10.0.8 |
PAN-OS 9.1 | < 9.1.12 | >= 9.1.12 |
PAN-OS 9.0 | 9.0.* | |
PAN-OS 8.1 | < 8.1.21 | >= 8.1.21 |
Prisma Access 3.0 | None | Preferred, Innovation |
Prisma Access 2.2 | Preferred | |
Prisma Access 2.1 | Preferred, Innovation |
Required Configuration for Exposure
This issue is applicable only when you configure exceptions to URL filtering either by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile as per https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/block-and-allow-lists.html or directly in a security policy.
Severity: MEDIUM
CVSSv3.1 Base Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-436 Interpretation Conflict
Solution
PAN-OS 8.1.21, PAN-OS 9.1.12, PAN-OS 10.0.8, PAN-OS 10.1.3, Prisma Access 3.0 Preferred, and Prisma Access 3.0 Innovation all include a customer configurable option to automatically append a forward slash at the end of the hostname pattern for entries without an ending token in a custom URL category list or in an external dynamic list (EDL).
Prisma Access customers should refer to “STEP 7” in the following Prisma Access 3.0 documentation to enable this feature:
For other PAN-OS appliances, this option is enabled by running these CLI commands:
debug device-server append-end-token on
commit force
Note: This option is disabled by default on PAN-OS 8.1, PAN-OS 9.1, PAN-OS 10.0, and PAN-OS 10.1. This option will be enabled by default starting with the next major version of PAN-OS. This option is not available on PAN-OS 9.0. Customers with PAN-OS 9.0 are advised to apply workarounds or upgrade to PAN-OS 9.1 or a later version.
Additionally, customers must evaluate their custom URL category list or their external dynamic list (EDL) and any firewall policy rules that depend on them to determine whether this option provides the desired policy rule enforcement.
Example 1: If the firewall policy rule is intended to allow only 'www.example.com' and not to allow access to any other site, such as www.example.com.webiste.test, then use the "debug device-server append-end-token on" CLI command.
Example 2: If the firewall policy rule is set to block access to 'www.example.co' and block access to sites such as www.example.com, www.example.co.az, then keep the default setting ("debug device-server append-end-token off" CLI command). You should always use the most appropriate token if you need to match multiple hostnames in a policy rule.
Workarounds and Mitigations
Add a forward slash (/) at the end of the hostname pattern for all entries in the custom URL category list or the external dynamic list (EDL).
For example:
example.com/ will not match example.com.website.test