Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2361 CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 13 May 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS GlobalProtect app Cortex XDR agent Publisher: Palo Alto Operating System: Windows macOS Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2022-0778 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2022-0778 Comment: CVSS (Max): 7.5 CVE-2022-0778 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2022-0778 CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 047910 Severity 7.5 . HIGH Attack Vector NETWORK Scope UNCHANGED Attack Complexity LOW Confidentiality Impact NONE Privileges Required NONE Integrity Impact NONE User Interaction NONE Availability Impact HIGH NVD JSON Published 2022-03-31 Updated 2022-05-12 Reference PAN-190175 and PAN-190223 Discovered externally Description The Palo Alto Networks Product Security Assurance team has evaluated the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products. This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed. The Prisma Cloud and Cortex XSOAR products are not impacted by this vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires a meddler-in-the-middle attack (MITM): 5.9 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ S:U/C:N/I:N/A:H). We are working diligently on fixes to remove the vulnerable code from our GlobalProtect app software. All fixed versions of Cortex XDR agent and PAN-OS are now available. This issue impacts the following versions of PAN-OS: PAN-OS 8.1 versions earlier than PAN-OS 8.1.23; PAN-OS 9.0 versions earlier than PAN-OS 9.0.16-h2; PAN-OS 9.1 versions earlier than PAN-OS 9.1.13-h3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.10; PAN-OS 10.1 versions earlier than PAN-OS 10.1.5-h1; PAN-OS 10.2 versions earlier than PAN-OS 10.2.1. This issue impacts the following versions of GlobalProtect app: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.11; GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.12 (ETA: month of May, 2022); GlobalProtect app 5.3 versions earlier than GlobalProtect app 5.3.4 (ETA: month of May, 2022); GlobalProtect app 6.0 versions earlier than GlobalProtect app 6.0.1. This issue impacts the following versions and builds of Cortex XDR agent: Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9 hotfix build 6.1.9.61370 on Windows; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build 6.1.7.1690 on macOS; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build 6.1.7.60245 on Linux; All versions and builds of Cortex XDR agent 7.4; Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.60642 on Windows; Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.2276 on macOS; Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.59687 on Linux Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.60113 on Windows; Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.2265 on macOS; Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.59465 on Linux; Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.60545 on Windows; Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.2311 on macOS; Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.59612 on Linux; Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.60725 on Windows; Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.2356 on macOS; Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.59559 on Linux. This issue is addressed for Prisma Access customers in the Prisma Access patch rollout that will begin on May 7, 2022 and will be a phased rollout performed based on theaters. Palo Alto Networks will send an additional email notification through Prisma Access Insights one week before the rollout begins for affected tenant(s). Product Status Versions Affected Unaffected Cortex XDR < 7.7.0.60725 on Windows, < >= 7.7.0.60725 on Windows, >= Agent 7.7 7.7.0.2356 on macOS, < 7.7.0.2356 on macOS, >= 7.7.0.59559 on Linux 7.7.0.59559 on Linux Cortex XDR < 7.6.2.60545 on Windows, < >= 7.6.2.60545 on Windows, >= Agent 7.6 7.6.2.2311 on macOS, < 7.6.2.2311 on macOS, >= 7.6.2.59612 on Linux 7.6.2.59612 on Linux Cortex XDR < 7.5.100.60642 on Windows, < >= 7.5.100.60642 on Windows, >= Agent 7.5-CE 7.5.100.2276 on macOS, < 7.5.100.2276 on macOS, >= 7.5.100.59687 on Linux 7.5.100.59687 on Linux Cortex XDR < 7.5.3.60113 on Windows, < >= 7.5.3.60113 on Windows, >= Agent 7.5 7.5.3.2265 on macOS, < 7.5.3.2265 on macOS, >= 7.5.3.59465 on Linux 7.5.3.59465 on Linux Cortex XDR 7.4.* Agent 7.4 Cortex XDR < 6.1.9.61370 on Windows, < >= 6.1.9.61370 on Windows, >= Agent 6.1 6.1.7.1690 on macOS, < 6.1.7.1690 on macOS, >= 6.1.7.60245 on Linux 6.1.7.60245 on Linux Cortex XSOAR None all GlobalProtect < 6.0.1 >= 6.0.1 App 6.0 GlobalProtect < 5.3.4 >= 5.3.4 App 5.3 GlobalProtect < 5.2.12 >= 5.2.12 App 5.2 GlobalProtect < 5.1.11 >= 5.1.11 App 5.1 PAN-OS 10.2 < 10.2.1 >= 10.2.1 PAN-OS 10.1 < 10.1.5-h1 >= 10.1.5-h1 PAN-OS 10.0 < 10.0.10 >= 10.0.10 PAN-OS 9.1 < 9.1.13-h3 >= 9.1.13-h3 PAN-OS 9.0 < 9.0.16-h2 >= 9.0.16-h2 PAN-OS 8.1 < 8.1.23 >= 8.1.23 Prisma Access Preferred, Innovation 3.1 Prisma Access Preferred, Innovation 3.0 Prisma Access Preferred 2.2 Prisma Access Preferred, Innovation 2.1 Prisma Cloud None all Severity: HIGH CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products. Weakness Type CWE-834 Excessive Iteration Solution This issue is fixed in PAN-OS 8.1.23, PAN-OS 9.0.16-h2, PAN-OS 9.1.13-h3, PAN-OS 10.0.10, PAN-OS 10.1.5-h1, PAN-OS 10.2.1, and all later PAN-OS versions. This issue is fixed in GlobalProtect app 5.1.11 and GlobalProtect app 6.0.1. We intend to fix this issue in the following GlobalProtect app releases: GlobalProtect app 5.2.12, GlobalProtect app 5.3.4. These updates are expected to be available during the month of May, 2022. This issue is fixed in Cortex XDR agent 6.1.9 hotfix build 6.1.9.61370 on Windows, Cortex XDR agent 6.1.7 hotfix build 6.1.7.1690 on macOS, Cortex XDR agent 6.1.7 hotfix build 6.1.7.60245 on Linux, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.60642 on Windows, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.2276 on macOS, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.59687 on Linux, Cortex XDR agent 7.5.3 build 7.5.3.60113 on Windows, Cortex XDR agent 7.5.3 build 7.5.3.2265 on macOS, Cortex XDR agent 7.5.3 build 7.5.3.59465 on Linux, Cortex XDR agent 7.6.2 hotfix build 7.6.2.60545 on Windows, Cortex XDR agent 7.6.2 hotfix build 7.6.2.2311 on macOS, Cortex XDR agent 7.6.2 hotfix build 7.6.2.59612 hotfix on Linux, Cortex XDR agent 7.7.0 hotfix build 7.7.0.60725 on Windows, Cortex XDR agent 7.7.0 hotfix build 7.7.0.2356 on macOS, Cortex XDR agent 7.7.0 hotfix build 7.7.0.59559 on Linux, and all later versions and builds of Cortex XDR agent. Cortex XDR agent 7.4 is end-of-life on May 24, 2022 and is not expected to receive a fix for this issue. This issue is addressed for Prisma Access customers in the Prisma Access patch rollout that will begin on May 7, 2022 and will be a phased rollout performed based on theaters. Palo Alto Networks will send an additional email notification through Prisma Access Insights one week before the rollout begins for affected tenant(s). This advisory will be updated as more fixed version information becomes available for the GlobalProtect app releases. Workarounds and Mitigations Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and Threats content update 8552). This mitigation reduces the risk of exploitation from known exploits. Customers will need to upgrade their products to a fixed version to completely remove the risk of this issue. Frequently Asked Questions Q. When will fixes for PAN-OS be available? The fix for this issue is available in PAN-OS 8.1.23, PAN-OS 9.0.16-h2, PAN-OS 9.1.13-h3, PAN-OS 10.0.10, PAN-OS 10.1.5-h1, and PAN-OS 10.2.1 versions. All fixed versions of PAN-OS are now available. Q. Are Threat Prevention signatures available for this issue? Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and Threats content update 8552). This mitigation reduces the risk of exploitation from known exploits. Q. Where can I get the most up-to-date information on product fixes for this issue? This security advisory will be continually updated with the latest fixed version information for all listed Palo Alto Networks products. Q. What will happen to PAN-OS if this issue is encountered? If this issue is encountered in the firewall data plane or management plane, the impacted PAN-OS process will abort and generate crash related debug information. If this issue is encountered repeatedly, there will be a firewall reboot and can result in the denial-of-service to all PAN-OS services. Timeline 2022-05-12 GlobalProtect app fixed version GlobalProtect app 5.1.11 is now available. 2022-05-11 Cortex XDR agent fixes for Cortex XDR agent 6.1 and 7.5-CE are now available. 2022-05-04 GlobalProtect app fixed version GlobalProtect app 6.0.1 is now available. 2022-04-30 Updated fix information for Cortex XDR agent. New fix ETA for Prisma Access customers. 2022-04-27 PAN-OS fixed version PAN-OS 8.1.23 is now available. 2022-04-22 Added new Cortex XDR agent fix ETAs. Updated ETA for PAN-OS 8.1.23 fix. 2022-04-20 Added new GlobalProtect app 5.3 fix ETA. 2022-04-19 PAN-OS fixed version PAN-OS 10.2.1 is now available. 2022-04-15 Added new GlobalProtect app fix ETAs. 2022-04-12 PAN-OS fixed version PAN-OS 10.0.10 is now available. 2022-04-12 PAN-OS fixed version PAN-OS 9.0.16-h2 is now available. 2022-04-07 PAN-OS fixed versions PAN-OS 9.1.13-h3 and PAN-OS 10.1.5-h1 are now available. 2022-04-06 Added new PAN-OS fix ETAs, available threat prevention signatures, and additional FAQ. 2022-03-31 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYn2fF8kNZI30y1K9AQhayg//Yet7r4ElUFxmEZGaqnGYiL2X4MfFbFkG u41ATm3yPL0wRjYjJi9HShP8fGRymzOF4WMPK4cljyw0sPAMjVoy4WjcVGOzRfFQ mejQReBJmlkJK1Irh0bfxTHEbsQ7Y7NM/+sC3lmDht20oMpOOCRl4S0hA8+UrsTe uJSeVmpFEwHlTlXQK8FN2VBGO5iMskGrLoPGC/3CHEZnRG30PSWV2FHfROgxuQs/ eesMxLQpi4pplTd4b0mhdS8f3Mko0pDbT752ZQ/EbPyiKvsvEZH9hHsJaFRpF54H eMVUczgOpgmhGJGZ0VQ3yJZosZXXxmx9rhJDdO2FGaBBXyUJ2/OG/LXEkQYqwkty RkTtuY7PGLcuv/HMEg3ha8O5B2zg7bJF+kflvaHTXO7jQ2PcYlCMi/jIuphYJji5 uI7uPq7Vi2IHfnS8BGpl1dqgw99EtPFXGUlwn16yRawHtNqnohN1OLum3n9DsTeE mHjhaDIPqfDBJx/TjQ2N1CKKRTaRd8HzNSjZzzr9Y7PQRHE4xQwLnzYcPsHt8mL2 ZKd1TIgt7nj+E+uR35s28BHPLMSn/dFGyqSPPXo+pFIdmSqmYaxSFFDSdh4o4b66 mYfgrEIHxnL9iubI5zUebJpFZ0PVxhvINeGCkd6npX37DuGyiQcuZq21yjpqs/D0 antJj4mHLVI= =xSdQ -----END PGP SIGNATURE-----