Are CVE-2022-0030 and CVE-2022-40684 related and is PAN-OS vulnerable to either?

Are CVE-2022-0030 and CVE-2022-40684 related and is PAN-OS vulnerable to either?

• Palo Alto Network Firewall
• CVE-2022-0030 and CVE-2022-40684

On October 10, 2022, Fortinet reported CVE-2022-40684 Fortinet Authentication bypass on administrative interface), a vulnerability allowing authentication bypass using alternate channels.  This vulnerability is listed as a CVSSv3 9.6 out of 10 making it a highly critical vulnerability.  This vulnerability utilizes Weakness ID: CWE-288: Authentication Bypass Using an Alternate Path or Channel.  Palo Alto Networks customers have expressed concern over whether PAN-OS was vulnerable to the same exploit. 

On October 12, 2022, Palo Alto Networks published a Security Advisory for CVE-2022-0030 (PAN-OS: Authentication Bypass in Web Interface).  This CVE only affects versions of PAN-OS earlier than 8.1.24, as this issue is fixed in PAN-OS 8.1.24 and all later PAN-OS versions.  This vulnerability utilizes Weakness ID: CWE-290: Authentication Bypass by Spoofing.

While the two CVEs may appear to be similar on the surface, as both are recent CVEs related to Authentication Bypass, the two vulnerabilities aren't related and don't utilize the same attack vector.

Please note that PAN-OS 8.1 has reached its software end-of-life (EoL) and is supported only on PA-200, PA-500, and PA-5000 Series firewalls and on M-100 appliances and only until each of their respective hardware EoL dates: https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates.html.

The attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks due to an incorrect design related to an architectural security tactic.

The issue arises when authentication mechanisms implemented rely on DNS Lookup or IP address for source validation. If an attacker is able to spoof the IP or poison the DNS cache, they may be able to bypass the authentication mechanism.

IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. 

Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. 

IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

 

Optimally upgrading to a version of PAN-OS 8.1.24 or higher would be the best option; however, customers with a Threat Prevention subscription can block known attacks for this vulnerability by with Threat ID 92720 (Applications and Threats content update 8630-7638).

To exploit this issue, the attacker must have network access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface.

Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation.  

If CVE-2022-40684 is your concern, TID:93146 - "Fortinet Multiple Products Authentication Bypass Vulnerability (CVE-2022-40684)" was released in content version 8631.

• https://cwe.mitre.org/data/definitions/290
• https://security.paloaltonetworks.com/CVE-2022-0030
• https://www.fortiguard.com/psirt/FG-IR-22-377
• https://www.zdnet.com/article/fortinet-warns-that-critical-authentication-bypass-flaw-has-been-exploited/
• https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices