Palo Alto Networks Security Advisories / CVE-2022-0778

CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778

047910
Severity 7.5 · HIGH
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact NONE
User Interaction NONE
Availability Impact HIGH

Description

The Palo Alto Networks Product Security Assurance team has evaluated the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products.

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

The Prisma Cloud and Cortex XSOAR products are not impacted by this vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires a meddler-in-the-middle attack (MITM): 5.9 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

All fixed versions of Cortex XDR agent, GlobalProtect app, and PAN-OS are now available.

This issue impacts the following versions of PAN-OS:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.23;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.16-h2;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.13-h3;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.10;

PAN-OS 10.1 versions earlier than PAN-OS 10.1.5-h1;

PAN-OS 10.2 versions earlier than PAN-OS 10.2.1.

This issue impacts the following versions of GlobalProtect app:

GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.11;

GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.12;

GlobalProtect app 5.3 versions earlier than GlobalProtect app 5.3.4;

GlobalProtect app 6.0 versions earlier than GlobalProtect app 6.0.1 on Windows and macOS;

GlobalProtect app 6.0 versions earlier than GlobalProtect app 6.0.2 on Android and iOS.

This issue impacts the following versions and builds of Cortex XDR agent:

Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9 hotfix build 6.1.9.61370 on Windows;

Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build 6.1.7.1690 on macOS;

Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build 6.1.7.60245 on Linux;

All versions and builds of Cortex XDR agent 7.4;

Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.60642 on Windows;

Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.2276 on macOS;

Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.59687 on Linux

Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.60113 on Windows;

Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.2265 on macOS;

Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.59465 on Linux;

Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.60545 on Windows;

Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.2311 on macOS;

Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.59612 on Linux;

Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.60725 on Windows;

Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.2356 on macOS;

Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.59559 on Linux.

This issue is addressed for Prisma Access customers in the Prisma Access patch rollout that will begin on May 7, 2022 and will be a phased rollout performed based on theaters. Palo Alto Networks will send an additional email notification through Prisma Access Insights one week before the rollout begins for affected tenant(s).

Product Status

VersionsAffectedUnaffected
Cortex XDR Agent 7.7< 7.7.0.60725 on Windows, < 7.7.0.2356 on macOS, < 7.7.0.59559 on Linux>= 7.7.0.60725 on Windows, >= 7.7.0.2356 on macOS, >= 7.7.0.59559 on Linux
Cortex XDR Agent 7.6< 7.6.2.60545 on Windows, < 7.6.2.2311 on macOS, < 7.6.2.59612 on Linux>= 7.6.2.60545 on Windows, >= 7.6.2.2311 on macOS, >= 7.6.2.59612 on Linux
Cortex XDR Agent 7.5-CE< 7.5.100.60642 on Windows, < 7.5.100.2276 on macOS, < 7.5.100.59687 on Linux>= 7.5.100.60642 on Windows, >= 7.5.100.2276 on macOS, >= 7.5.100.59687 on Linux
Cortex XDR Agent 7.5< 7.5.3.60113 on Windows, < 7.5.3.2265 on macOS, < 7.5.3.59465 on Linux>= 7.5.3.60113 on Windows, >= 7.5.3.2265 on macOS, >= 7.5.3.59465 on Linux
Cortex XDR Agent 7.47.4.*
Cortex XDR Agent 6.1< 6.1.9.61370 on Windows, < 6.1.7.1690 on macOS, < 6.1.7.60245 on Linux>= 6.1.9.61370 on Windows, >= 6.1.7.1690 on macOS, >= 6.1.7.60245 on Linux
Cortex XSOAR Noneall
GlobalProtect App 6.0< 6.0.1 on Windows and macOS, < 6.0.2 on Android and iOS>= 6.0.1 on Windows and macOS, >= 6.0.2 on Android and iOS
GlobalProtect App 5.3< 5.3.4>= 5.3.4
GlobalProtect App 5.2< 5.2.12>= 5.2.12
GlobalProtect App 5.1< 5.1.11>= 5.1.11
PAN-OS 10.2< 10.2.1>= 10.2.1
PAN-OS 10.1< 10.1.5-h1>= 10.1.5-h1
PAN-OS 10.0< 10.0.10>= 10.0.10
PAN-OS 9.1< 9.1.13-h3>= 9.1.13-h3
PAN-OS 9.0< 9.0.16-h2>= 9.0.16-h2
PAN-OS 8.1< 8.1.23>= 8.1.23
Prisma Access 3.1Preferred, Innovation
Prisma Access 3.0Preferred, Innovation
Prisma Access 2.2Preferred
Prisma Access 2.1Preferred, Innovation
Prisma Cloud Noneall

Severity:HIGH

CVSSv3.1 Base Score:7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.

Weakness Type

CWE-834 Excessive Iteration

Solution

This issue is fixed in PAN-OS 8.1.23, PAN-OS 9.0.16-h2, PAN-OS 9.1.13-h3, PAN-OS 10.0.10, PAN-OS 10.1.5-h1, PAN-OS 10.2.1, and all later PAN-OS versions.

This issue is fixed in GlobalProtect app 5.1.11, GlobalProtect app 5.2.12, GlobalProtect app 5.3.4, GlobalProtect app 6.0.1 on Window and macOS, GlobalProtect app 6.0.2 on Android and iOS, and all later GlobalProtect app versions.

This issue is fixed in Cortex XDR agent 6.1.9 hotfix build 6.1.9.61370 on Windows, Cortex XDR agent 6.1.7 hotfix build 6.1.7.1690 on macOS, Cortex XDR agent 6.1.7 hotfix build 6.1.7.60245 on Linux, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.60642 on Windows, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.2276 on macOS, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.59687 on Linux, Cortex XDR agent 7.5.3 build 7.5.3.60113 on Windows, Cortex XDR agent 7.5.3 build 7.5.3.2265 on macOS, Cortex XDR agent 7.5.3 build 7.5.3.59465 on Linux, Cortex XDR agent 7.6.2 hotfix build 7.6.2.60545 on Windows, Cortex XDR agent 7.6.2 hotfix build 7.6.2.2311 on macOS, Cortex XDR agent 7.6.2 hotfix build 7.6.2.59612 hotfix on Linux, Cortex XDR agent 7.7.0 hotfix build 7.7.0.60725 on Windows, Cortex XDR agent 7.7.0 hotfix build 7.7.0.2356 on macOS, Cortex XDR agent 7.7.0 hotfix build 7.7.0.59559 on Linux, and all later versions and builds of Cortex XDR agent. Cortex XDR agent 7.4 is end-of-life on May 24, 2022 and is not expected to receive a fix for this issue.

This issue is addressed for Prisma Access customers in the Prisma Access patch rollout that will begin on May 7, 2022 and will be a phased rollout performed based on theaters. Palo Alto Networks will send an additional email notification through Prisma Access Insights one week before the rollout begins for affected tenant(s).

Workarounds and Mitigations

Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and Threats content update 8552). This mitigation reduces the risk of exploitation from known exploits.

Customers will need to upgrade their products to a fixed version to completely remove the risk of this issue.

Frequently Asked Questions

Q. When will fixes for PAN-OS be available?

The fix for this issue is available in PAN-OS 8.1.23, PAN-OS 9.0.16-h2, PAN-OS 9.1.13-h3, PAN-OS 10.0.10, PAN-OS 10.1.5-h1, and PAN-OS 10.2.1 versions. All fixed versions of PAN-OS are now available.

Q. Are Threat Prevention signatures available for this issue?

Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and Threats content update 8552). This mitigation reduces the risk of exploitation from known exploits.

Q. Where can I get the most up-to-date information on product fixes for this issue?

This security advisory will be continually updated with the latest fixed version information for all listed Palo Alto Networks products.

Q. What will happen to PAN-OS if this issue is encountered?

If this issue is encountered in the firewall data plane or management plane, the impacted PAN-OS process will abort and generate crash related debug information. If this issue is encountered repeatedly, there will be a firewall reboot and can result in the denial-of-service to all PAN-OS services.

Timeline

Fixed version clarification for GlobalProtect app on Android and iOS platforms.
GlobalProtect app fixed version GlobalProtect app 5.3.4 is now available.
GlobalProtect app fixed version GlobalProtect app 5.2.12 is now available.
GlobalProtect app fixed version GlobalProtect app 5.1.11 is now available.
Cortex XDR agent fixes for Cortex XDR agent 6.1 and 7.5-CE are now available.
GlobalProtect app fixed version GlobalProtect app 6.0.1 is now available.
Updated fix information for Cortex XDR agent. New fix ETA for Prisma Access customers.
PAN-OS fixed version PAN-OS 8.1.23 is now available.
Added new Cortex XDR agent fix ETAs. Updated ETA for PAN-OS 8.1.23 fix.
Added new GlobalProtect app 5.3 fix ETA.
PAN-OS fixed version PAN-OS 10.2.1 is now available.
Added new GlobalProtect app fix ETAs.
PAN-OS fixed version PAN-OS 10.0.10 is now available.
PAN-OS fixed version PAN-OS 9.0.16-h2 is now available.
PAN-OS fixed versions PAN-OS 9.1.13-h3 and PAN-OS 10.1.5-h1 are now available.
Added new PAN-OS fix ETAs, available threat prevention signatures, and additional FAQ.
Initial publication
© 2022 Palo Alto Networks, Inc. All rights reserved.