Palo Alto Networks Security Advisories / CVE-2022-0011

CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering

047910
Severity 6.5 · MEDIUM
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact NONE

Description

PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile.

When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk.

For example:

example.com will match example.com.website.test
example.com.* will match example.com.website.test
example.com.^ will match example.com.test

You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards.

PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.

Product Status

VersionsAffectedUnaffected
PAN-OS 10.1< 10.1.3>= 10.1.3
PAN-OS 10.0< 10.0.8>= 10.0.8
PAN-OS 9.1< 9.1.12>= 9.1.12
PAN-OS 9.09.0.*
PAN-OS 8.1< 8.1.21>= 8.1.21
Prisma Access 3.0NonePreferred, Innovation
Prisma Access 2.2Preferred
Prisma Access 2.1Preferred, Innovation

Required Configuration for Exposure

This issue is applicable only when you configure exceptions to URL filtering either by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile as per https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/block-and-allow-lists.html or directly in a security policy.

Severity:MEDIUM

CVSSv3.1 Base Score:6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-436 Interpretation Conflict

Solution

PAN-OS 8.1.21, PAN-OS 9.1.12, PAN-OS 10.0.8, PAN-OS 10.1.3, Prisma Access 3.0 Preferred, and Prisma Access 3.0 Innovation all include a customer configurable option to automatically append a forward slash at the end of the hostname pattern for entries without an ending token in a custom URL category list or in an external dynamic list (EDL).

Prisma Access customers should refer to “STEP 7” in the following Prisma Access 3.0 documentation to enable this feature:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/prisma-access-service-infrastructure/enable-the-service-infrastructure.html

For other PAN-OS appliances, this option is enabled by running these CLI commands:

debug device-server append-end-token on
commit force

Note: This option is disabled by default on PAN-OS 8.1, PAN-OS 9.1, PAN-OS 10.0, and PAN-OS 10.1. This option will be enabled by default starting with the next major version of PAN-OS. This option is not available on PAN-OS 9.0. Customers with PAN-OS 9.0 are advised to apply workarounds or upgrade to PAN-OS 9.1 or a later version.

Additionally, customers must evaluate their custom URL category list or their external dynamic list (EDL) and any firewall policy rules that depend on them to determine whether this option provides the desired policy rule enforcement.

Example 1: If the firewall policy rule is intended to allow only 'www.example.com' and not to allow access to any other site, such as www.example.com.webiste.test, then use the "debug device-server append-end-token on" CLI command.

Example 2: If the firewall policy rule is set to block access to 'www.example.co' and block access to sites such as www.example.com, www.example.co.az, then keep the default setting ("debug device-server append-end-token off" CLI command). You should always use the most appropriate token if you need to match multiple hostnames in a policy rule.

Workarounds and Mitigations

Add a forward slash (/) at the end of the hostname pattern for all entries in the custom URL category list or the external dynamic list (EDL).

For example:

example.com/ will not match example.com.website.test

Acknowledgments

Palo Alto Networks thanks Chris Johnston of PricewaterhouseCoopers for discovering and reporting this issue.

Timeline

Clarified that custom URL categories used directly in security policies are affected
initial publication
© 2022 Palo Alto Networks, Inc. All rights reserved.