Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1373.7 CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 12 May 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Cortex XDR Agent GlobalProtect App Publisher: Palo Alto Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-0778 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2022-0778 Revision History: May 12 2022: Cortex XDR agent fixes for Cortex XDR agent 6.1 and 7.5-CE are updated May 5 2022: Significant updates to vendor advisory April 8 2022: Vendor added fixed versions for PAN-OS April 1 2022: Fixed format April 1 2022: Fixed format April 1 2022: Added threat prevention signatures and additional product status March 31 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2022-0778 CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 047910 Severity 7.5 . HIGH Attack Vector NETWORK Scope UNCHANGED Attack Complexity LOW Confidentiality Impact NONE Privileges Required NONE Integrity Impact NONE User Interaction NONE Availability Impact HIGH NVD JSON Published 2022-03-31 Updated 2022-05-11 Reference PAN-190175 and PAN-190223 Discovered externally Description The Palo Alto Networks Product Security Assurance team has evaluated the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products. This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed. The Prisma Cloud and Cortex XSOAR products are not impacted by this vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires a meddler-in-the-middle attack (MITM): 5.9 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ S:U/C:N/I:N/A:H). We are working diligently on fixes to remove the vulnerable code from our GlobalProtect app software. All fixed versions of Cortex XDR agent and PAN-OS are now available. This issue impacts the following versions of PAN-OS: PAN-OS 8.1 versions earlier than PAN-OS 8.1.23; PAN-OS 9.0 versions earlier than PAN-OS 9.0.16-h2; PAN-OS 9.1 versions earlier than PAN-OS 9.1.13-h3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.10; PAN-OS 10.1 versions earlier than PAN-OS 10.1.5-h1; PAN-OS 10.2 versions earlier than PAN-OS 10.2.1. This issue impacts the following versions of GlobalProtect app: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.11 (ETA: month of May, 2022); GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.12 (ETA: month of May, 2022); GlobalProtect app 5.3 versions earlier than GlobalProtect app 5.3.4 (ETA: month of May, 2022); GlobalProtect app 6.0 versions earlier than GlobalProtect app 6.0.1. This issue impacts the following versions and builds of Cortex XDR agent: Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9 hotfix build 6.1.9.61370 on Windows; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build 6.1.7.1690 on macOS; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build 6.1.7.60245 on Linux; All versions and builds of Cortex XDR agent 7.4; Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.60642 on Windows; Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.2276 on macOS; Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.59687 on Linux Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.60113 on Windows; Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.2265 on macOS; Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build 7.5.3.59465 on Linux; Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.60545 on Windows; Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.2311 on macOS; Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build 7.6.2.59612 on Linux; Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.60725 on Windows; Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.2356 on macOS; Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build 7.7.0.59559 on Linux. This issue is addressed for Prisma Access customers in the Prisma Access patch rollout that will begin on May 7, 2022 and will be a phased rollout performed based on theaters. Palo Alto Networks will send an additional email notification through Prisma Access Insights one week before the rollout begins for affected tenant(s). Product Status Versions Affected Unaffected Cortex XDR < 7.7.0.60725 on Windows, < >= 7.7.0.60725 on Windows, >= Agent 7.7 7.7.0.2356 on macOS, < 7.7.0.2356 on macOS, >= 7.7.0.59559 on Linux 7.7.0.59559 on Linux Cortex XDR < 7.6.2.60545 on Windows, < >= 7.6.2.60545 on Windows, >= Agent 7.6 7.6.2.2311 on macOS, < 7.6.2.2311 on macOS, >= 7.6.2.59612 on Linux 7.6.2.59612 on Linux Cortex XDR < 7.5.100.60642 on Windows, < >= 7.5.100.60642 on Windows, >= Agent 7.5-CE 7.5.100.2276 on macOS, < 7.5.100.2276 on macOS, >= 7.5.100.59687 on Linux 7.5.100.59687 on Linux Cortex XDR < 7.5.3.60113 on Windows, < >= 7.5.3.60113 on Windows, >= Agent 7.5 7.5.3.2265 on macOS, < 7.5.3.2265 on macOS, >= 7.5.3.59465 on Linux 7.5.3.59465 on Linux Cortex XDR 7.4.* Agent 7.4 Cortex XDR < 6.1.9.61370 on Windows, < >= 6.1.9.61370 on Windows, >= Agent 6.1 6.1.7.1690 on macOS, < 6.1.7.1690 on macOS, >= 6.1.7.60245 on Linux 6.1.7.60245 on Linux Cortex XSOAR None all GlobalProtect < 6.0.1 >= 6.0.1 App 6.0 GlobalProtect < 5.3.4 >= 5.3.4 App 5.3 GlobalProtect < 5.2.12 >= 5.2.12 App 5.2 GlobalProtect < 5.1.11 >= 5.1.11 App 5.1 PAN-OS 10.2 < 10.2.1 >= 10.2.1 PAN-OS 10.1 < 10.1.5-h1 >= 10.1.5-h1 PAN-OS 10.0 < 10.0.10 >= 10.0.10 PAN-OS 9.1 < 9.1.13-h3 >= 9.1.13-h3 PAN-OS 9.0 < 9.0.16-h2 >= 9.0.16-h2 PAN-OS 8.1 < 8.1.23 >= 8.1.23 Prisma Access Preferred, Innovation 3.1 Prisma Access Preferred, Innovation 3.0 Prisma Access Preferred 2.2 Prisma Access Preferred, Innovation 2.1 Prisma Cloud None all Severity: HIGH CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products. Weakness Type CWE-834 Excessive Iteration Solution This issue is fixed in PAN-OS 8.1.23, PAN-OS 9.0.16-h2, PAN-OS 9.1.13-h3, PAN-OS 10.0.10, PAN-OS 10.1.5-h1, PAN-OS 10.2.1, and all later PAN-OS versions. This issue is fixed in GlobalProtect app 6.0.1. We intend to fix this issue in the following GlobalProtect app releases: GlobalProtect app 5.1.11, GlobalProtect app 5.2.12, GlobalProtect app 5.3.4. These updates are expected to be available during the month of May, 2022. This issue is fixed in Cortex XDR agent 6.1.9 hotfix build 6.1.9.61370 on Windows, Cortex XDR agent 6.1.7 hotfix build 6.1.7.1690 on macOS, Cortex XDR agent 6.1.7 hotfix build 6.1.7.60245 on Linux, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.60642 on Windows, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.2276 on macOS, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.59687 on Linux, Cortex XDR agent 7.5.3 build 7.5.3.60113 on Windows, Cortex XDR agent 7.5.3 build 7.5.3.2265 on macOS, Cortex XDR agent 7.5.3 build 7.5.3.59465 on Linux, Cortex XDR agent 7.6.2 hotfix build 7.6.2.60545 on Windows, Cortex XDR agent 7.6.2 hotfix build 7.6.2.2311 on macOS, Cortex XDR agent 7.6.2 hotfix build 7.6.2.59612 hotfix on Linux, Cortex XDR agent 7.7.0 hotfix build 7.7.0.60725 on Windows, Cortex XDR agent 7.7.0 hotfix build 7.7.0.2356 on macOS, Cortex XDR agent 7.7.0 hotfix build 7.7.0.59559 on Linux, and all later versions and builds of Cortex XDR agent. Cortex XDR agent 7.4 is end-of-life on May 24, 2022 and is not expected to receive a fix for this issue. This issue is addressed for Prisma Access customers in the Prisma Access patch rollout that will begin on May 7, 2022 and will be a phased rollout performed based on theaters. Palo Alto Networks will send an additional email notification through Prisma Access Insights one week before the rollout begins for affected tenant(s). This advisory will be updated as more fixed version information becomes available for the GlobalProtect app releases. Workarounds and Mitigations Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and Threats content update 8552). This mitigation reduces the risk of exploitation from known exploits. Customers will need to upgrade their products to a fixed version to completely remove the risk of this issue. Frequently Asked Questions Q. When will fixes for PAN-OS be available? The fix for this issue is available in PAN-OS 8.1.23, PAN-OS 9.0.16-h2, PAN-OS 9.1.13-h3, PAN-OS 10.0.10, PAN-OS 10.1.5-h1, and PAN-OS 10.2.1 versions. All fixed versions of PAN-OS are now available. Q. Are Threat Prevention signatures available for this issue? Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and Threats content update 8552). This mitigation reduces the risk of exploitation from known exploits. Q. Where can I get the most up-to-date information on product fixes for this issue? This security advisory will be continually updated with the latest fixed version information for all listed Palo Alto Networks products. Q. What will happen to PAN-OS if this issue is encountered? If this issue is encountered in the firewall data plane or management plane, the impacted PAN-OS process will abort and generate crash related debug information. If this issue is encountered repeatedly, there will be a firewall reboot and can result in the denial-of-service to all PAN-OS services. Timeline 2022-05-11 Cortex XDR agent fixes for Cortex XDR agent 6.1 and 7.5-CE are now available. 2022-05-04 GlobalProtect app fixed version GlobalProtect app 6.0.1 is now available. 2022-04-30 Updated fix information for Cortex XDR agent. New fix ETA for Prisma Access customers. 2022-04-27 PAN-OS fixed version PAN-OS 8.1.23 is now available. 2022-04-22 Added new Cortex XDR agent fix ETAs. Updated ETA for PAN-OS 8.1.23 fix. 2022-04-20 Added new GlobalProtect app 5.3 fix ETA. 2022-04-19 PAN-OS fixed version PAN-OS 10.2.1 is now available. 2022-04-15 Added new GlobalProtect app fix ETAs. 2022-04-12 PAN-OS fixed version PAN-OS 10.0.10 is now available. 2022-04-12 PAN-OS fixed version PAN-OS 9.0.16-h2 is now available. 2022-04-07 PAN-OS fixed versions PAN-OS 9.1.13-h3 and PAN-OS 10.1.5-h1 are now available. 2022-04-06 Added new PAN-OS fix ETAs, available threat prevention signatures, and additional FAQ. 2022-03-31 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYnxmKckNZI30y1K9AQj3jRAAs7d6JqaX+2dn9jbiua1/g5EJfm0Jm7z1 9Qq1GPaCIl0PGON2+XQcHXDu6P53NoEL+WOGqiz8XVV/toLSvy+rPM8/ugS6soQ2 +Jk53c8ufGBps0fXE7n/jylu2G1fGtyTCGhTrfr4fqjvYOtQNPO8MkS8P62Pkgh1 Vg2383RL58j3UDSuP1q1DaE95SDQsTpaQyoF6TN0ZaKZ5lkbSv9kWlZWh/cNz3yP gVFKus3N46djd6f86Hcck0uUCzBUawRuwKw0OGR/R0vBpshX787v+IwnGGEKUJFK ItfOfsUP86X8fSXMZph4z0+nPNx4ASU0uXWWkI5HM+KWokmdA0MsLBKh4IeLC+F5 CHN6xCoOdVcNutHztjcnridlGNKGUjDv3Ff4EEmo+lEsUUcMwO4T6hMw6L/LUJs8 AHLD93DjzYYkkQuu03KaGth8+w/J9ocp5mQRV99feZjlVjdTX6qZWLtG7R+SMAhw bXeB0h7uJrZLoGKKscpkl+dL5XvPJ1c+JNr7Og6ud23tF5dTUgo7dJI3rbx82s5q seWMu8UGjOLVsTBAwOMbvQoNqePoxpOfe5B0UKdfImKQG3jeCiP3K5lw+XmJ+4pr vzqVZb7IdKSH9EtEY3qdzWtLWo2kTyZ4w2gEwtALFBT6PHWz64Md0h89Rdu8L1qU 10v1umFpipY= =q37D -----END PGP SIGNATURE-----