-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2022.1373.7
             CVE-2022-0778 Impact of the OpenSSL Infinite Loop
                        Vulnerability CVE-2022-0778
                                12 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PAN-OS
                   Cortex XDR Agent
                   GlobalProtect App
Publisher:         Palo Alto
Operating System:  Network Appliance
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-0778  

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2022-0778

Revision History:  May   12 2022: Cortex XDR agent fixes for Cortex XDR agent 6.1 and 7.5-CE are updated
                   May    5 2022: Significant updates to vendor advisory
                   April  8 2022: Vendor added fixed versions for PAN-OS
                   April  1 2022: Fixed format
                   April  1 2022: Fixed format
                   April  1 2022: Added threat prevention signatures and additional product status
                   March 31 2022: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Palo Alto Networks Security Advisories / CVE-2022-0778

CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778

047910
Severity 7.5 . HIGH
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact NONE
User Interaction NONE
Availability Impact HIGH
NVD JSON     
Published 2022-03-31
Updated 2022-05-11
Reference PAN-190175 and PAN-190223
Discovered externally

Description

The Palo Alto Networks Product Security Assurance team has evaluated the
OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our
products.

This vulnerability causes the OpenSSL library to enter an infinite loop when
parsing an invalid certificate and can result in a Denial-of-Service (DoS) to
the application. An attacker does not need a verified certificate to exploit
this vulnerability because parsing a bad certificate triggers the infinite loop
before the verification process is completed.

The Prisma Cloud and Cortex XSOAR products are not impacted by this
vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent
software contain a vulnerable version of the OpenSSL library and product
availability is impacted by this vulnerability. For PAN-OS software, this
includes both hardware and virtual firewalls and Panorama appliances as well as
Prisma Access customers. This vulnerability has reduced severity on Cortex XDR
agent and GlobalProtect app as successful exploitation requires a
meddler-in-the-middle attack (MITM): 5.9 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/
S:U/C:N/I:N/A:H).

We are working diligently on fixes to remove the vulnerable code from our
GlobalProtect app software. All fixed versions of Cortex XDR agent and PAN-OS
are now available.

This issue impacts the following versions of PAN-OS:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.23;

PAN-OS 9.0 versions earlier than PAN-OS 9.0.16-h2;

PAN-OS 9.1 versions earlier than PAN-OS 9.1.13-h3;

PAN-OS 10.0 versions earlier than PAN-OS 10.0.10;

PAN-OS 10.1 versions earlier than PAN-OS 10.1.5-h1;

PAN-OS 10.2 versions earlier than PAN-OS 10.2.1.

This issue impacts the following versions of GlobalProtect app:

GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.11 (ETA:
month of May, 2022);

GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.12 (ETA:
month of May, 2022);

GlobalProtect app 5.3 versions earlier than GlobalProtect app 5.3.4 (ETA: month
of May, 2022);

GlobalProtect app 6.0 versions earlier than GlobalProtect app 6.0.1.

This issue impacts the following versions and builds of Cortex XDR agent:

Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9 hotfix build
6.1.9.61370 on Windows;

Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build
6.1.7.1690 on macOS;

Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.7 hotfix build
6.1.7.60245 on Linux;

All versions and builds of Cortex XDR agent 7.4;

Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE
hotfix build 7.5.100.60642 on Windows;

Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE
hotfix build 7.5.100.2276 on macOS;

Cortex XDR agent 7.5-CE versions earlier than Cortex XDR agent 7.5.100-CE
hotfix build 7.5.100.59687 on Linux

Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build
7.5.3.60113 on Windows;

Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build
7.5.3.2265 on macOS;

Cortex XDR agent 7.5 versions earlier than Cortex XDR agent 7.5.3 build
7.5.3.59465 on Linux;

Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build
7.6.2.60545 on Windows;

Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build
7.6.2.2311 on macOS;

Cortex XDR agent 7.6 versions earlier than Cortex XDR agent 7.6.2 hotfix build
7.6.2.59612 on Linux;

Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build
7.7.0.60725 on Windows;

Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build
7.7.0.2356 on macOS;

Cortex XDR agent 7.7 versions earlier than Cortex XDR agent 7.7.0 hotfix build
7.7.0.59559 on Linux.

This issue is addressed for Prisma Access customers in the Prisma Access patch
rollout that will begin on May 7, 2022 and will be a phased rollout performed
based on theaters. Palo Alto Networks will send an additional email
notification through Prisma Access Insights one week before the rollout begins
for affected tenant(s).

Product Status

  Versions               Affected                        Unaffected
Cortex XDR    < 7.7.0.60725 on Windows, <     >= 7.7.0.60725 on Windows, >=
Agent 7.7     7.7.0.2356 on macOS, <          7.7.0.2356 on macOS, >=
              7.7.0.59559 on Linux            7.7.0.59559 on Linux
Cortex XDR    < 7.6.2.60545 on Windows, <     >= 7.6.2.60545 on Windows, >=
Agent 7.6     7.6.2.2311 on macOS, <          7.6.2.2311 on macOS, >=
              7.6.2.59612 on Linux            7.6.2.59612 on Linux
Cortex XDR    < 7.5.100.60642 on Windows, <   >= 7.5.100.60642 on Windows, >=
Agent 7.5-CE  7.5.100.2276 on macOS, <        7.5.100.2276 on macOS, >=
              7.5.100.59687 on Linux          7.5.100.59687 on Linux
Cortex XDR    < 7.5.3.60113 on Windows, <     >= 7.5.3.60113 on Windows, >=
Agent 7.5     7.5.3.2265 on macOS, <          7.5.3.2265 on macOS, >=
              7.5.3.59465 on Linux            7.5.3.59465 on Linux
Cortex XDR    7.4.*
Agent 7.4
Cortex XDR    < 6.1.9.61370 on Windows, <     >= 6.1.9.61370 on Windows, >=
Agent 6.1     6.1.7.1690 on macOS, <          6.1.7.1690 on macOS, >=
              6.1.7.60245 on Linux            6.1.7.60245 on Linux
Cortex XSOAR  None                            all
GlobalProtect < 6.0.1                         >= 6.0.1
App 6.0
GlobalProtect < 5.3.4                         >= 5.3.4
App 5.3
GlobalProtect < 5.2.12                        >= 5.2.12
App 5.2
GlobalProtect < 5.1.11                        >= 5.1.11
App 5.1
PAN-OS 10.2   < 10.2.1                        >= 10.2.1
PAN-OS 10.1   < 10.1.5-h1                     >= 10.1.5-h1
PAN-OS 10.0   < 10.0.10                       >= 10.0.10
PAN-OS 9.1    < 9.1.13-h3                     >= 9.1.13-h3
PAN-OS 9.0    < 9.0.16-h2                     >= 9.0.16-h2
PAN-OS 8.1    < 8.1.23                        >= 8.1.23
Prisma Access Preferred, Innovation
3.1
Prisma Access Preferred, Innovation
3.0
Prisma Access Preferred
2.2
Prisma Access Preferred, Innovation
2.1
Prisma Cloud  None                            all

Severity: HIGH

CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on
any of our products.

Weakness Type

CWE-834 Excessive Iteration

Solution

This issue is fixed in PAN-OS 8.1.23, PAN-OS 9.0.16-h2, PAN-OS 9.1.13-h3,
PAN-OS 10.0.10, PAN-OS 10.1.5-h1, PAN-OS 10.2.1, and all later PAN-OS versions.

This issue is fixed in GlobalProtect app 6.0.1. We intend to fix this issue in
the following GlobalProtect app releases: GlobalProtect app 5.1.11,
GlobalProtect app 5.2.12, GlobalProtect app 5.3.4. These updates are expected
to be available during the month of May, 2022.

This issue is fixed in Cortex XDR agent 6.1.9 hotfix build 6.1.9.61370 on
Windows, Cortex XDR agent 6.1.7 hotfix build 6.1.7.1690 on macOS, Cortex XDR
agent 6.1.7 hotfix build 6.1.7.60245 on Linux, Cortex XDR agent 7.5.100-CE
hotfix build 7.5.100.60642 on Windows, Cortex XDR agent 7.5.100-CE hotfix build
7.5.100.2276 on macOS, Cortex XDR agent 7.5.100-CE hotfix build 7.5.100.59687
on Linux, Cortex XDR agent 7.5.3 build 7.5.3.60113 on Windows, Cortex XDR agent
7.5.3 build 7.5.3.2265 on macOS, Cortex XDR agent 7.5.3 build 7.5.3.59465 on
Linux, Cortex XDR agent 7.6.2 hotfix build 7.6.2.60545 on Windows, Cortex XDR
agent 7.6.2 hotfix build 7.6.2.2311 on macOS, Cortex XDR agent 7.6.2 hotfix
build 7.6.2.59612 hotfix on Linux, Cortex XDR agent 7.7.0 hotfix build
7.7.0.60725 on Windows, Cortex XDR agent 7.7.0 hotfix build 7.7.0.2356 on
macOS, Cortex XDR agent 7.7.0 hotfix build 7.7.0.59559 on Linux, and all later
versions and builds of Cortex XDR agent. Cortex XDR agent 7.4 is end-of-life on
May 24, 2022 and is not expected to receive a fix for this issue.

This issue is addressed for Prisma Access customers in the Prisma Access patch
rollout that will begin on May 7, 2022 and will be a phased rollout performed
based on theaters. Palo Alto Networks will send an additional email
notification through Prisma Access Insights one week before the rollout begins
for affected tenant(s).

This advisory will be updated as more fixed version information becomes
available for the GlobalProtect app releases.

Workarounds and Mitigations

Customers with a Threat Prevention subscription can block known attacks for
this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and
Threats content update 8552). This mitigation reduces the risk of exploitation
from known exploits.

Customers will need to upgrade their products to a fixed version to completely
remove the risk of this issue.

Frequently Asked Questions

Q. When will fixes for PAN-OS be available?

    The fix for this issue is available in PAN-OS 8.1.23, PAN-OS 9.0.16-h2,
    PAN-OS 9.1.13-h3, PAN-OS 10.0.10, PAN-OS 10.1.5-h1, and PAN-OS 10.2.1
    versions. All fixed versions of PAN-OS are now available.

Q. Are Threat Prevention signatures available for this issue?

    Customers with a Threat Prevention subscription can block known attacks for
    this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and
    Threats content update 8552). This mitigation reduces the risk of
    exploitation from known exploits.

Q. Where can I get the most up-to-date information on product fixes for this
issue?

    This security advisory will be continually updated with the latest fixed
    version information for all listed Palo Alto Networks products.

Q. What will happen to PAN-OS if this issue is encountered?

    If this issue is encountered in the firewall data plane or management
    plane, the impacted PAN-OS process will abort and generate crash related
    debug information. If this issue is encountered repeatedly, there will be a
    firewall reboot and can result in the denial-of-service to all PAN-OS
    services.

Timeline

2022-05-11 Cortex XDR agent fixes for Cortex XDR agent 6.1 and 7.5-CE are now
available.
2022-05-04 GlobalProtect app fixed version GlobalProtect app 6.0.1 is now
available.
2022-04-30 Updated fix information for Cortex XDR agent. New fix ETA for Prisma
Access customers.
2022-04-27 PAN-OS fixed version PAN-OS 8.1.23 is now available.
2022-04-22 Added new Cortex XDR agent fix ETAs. Updated ETA for PAN-OS 8.1.23
fix.
2022-04-20 Added new GlobalProtect app 5.3 fix ETA.
2022-04-19 PAN-OS fixed version PAN-OS 10.2.1 is now available.
2022-04-15 Added new GlobalProtect app fix ETAs.
2022-04-12 PAN-OS fixed version PAN-OS 10.0.10 is now available.
2022-04-12 PAN-OS fixed version PAN-OS 9.0.16-h2 is now available.
2022-04-07 PAN-OS fixed versions PAN-OS 9.1.13-h3 and PAN-OS 10.1.5-h1 are now
available.
2022-04-06 Added new PAN-OS fix ETAs, available threat prevention signatures,
and additional FAQ.
2022-03-31 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYnxmKckNZI30y1K9AQj3jRAAs7d6JqaX+2dn9jbiua1/g5EJfm0Jm7z1
9Qq1GPaCIl0PGON2+XQcHXDu6P53NoEL+WOGqiz8XVV/toLSvy+rPM8/ugS6soQ2
+Jk53c8ufGBps0fXE7n/jylu2G1fGtyTCGhTrfr4fqjvYOtQNPO8MkS8P62Pkgh1
Vg2383RL58j3UDSuP1q1DaE95SDQsTpaQyoF6TN0ZaKZ5lkbSv9kWlZWh/cNz3yP
gVFKus3N46djd6f86Hcck0uUCzBUawRuwKw0OGR/R0vBpshX787v+IwnGGEKUJFK
ItfOfsUP86X8fSXMZph4z0+nPNx4ASU0uXWWkI5HM+KWokmdA0MsLBKh4IeLC+F5
CHN6xCoOdVcNutHztjcnridlGNKGUjDv3Ff4EEmo+lEsUUcMwO4T6hMw6L/LUJs8
AHLD93DjzYYkkQuu03KaGth8+w/J9ocp5mQRV99feZjlVjdTX6qZWLtG7R+SMAhw
bXeB0h7uJrZLoGKKscpkl+dL5XvPJ1c+JNr7Og6ud23tF5dTUgo7dJI3rbx82s5q
seWMu8UGjOLVsTBAwOMbvQoNqePoxpOfe5B0UKdfImKQG3jeCiP3K5lw+XmJ+4pr
vzqVZb7IdKSH9EtEY3qdzWtLWo2kTyZ4w2gEwtALFBT6PHWz64Md0h89Rdu8L1qU
10v1umFpipY=
=q37D
-----END PGP SIGNATURE-----