CVE-2022-0011 Explained : Impact and Mitigation

A vulnerability in PAN-OS software allows specific websites to bypass URL category enforcement, potentially leading to unintended blocking or allowing of URLs. This issue affects several Palo Alto Networks products.

Understanding CVE-2022-0011

This CVE involves a flaw in the URL filtering mechanism of PAN-OS software, impacting Palo Alto Networks products such as PAN-OS and Prisma Access.

What is CVE-2022-0011?

PAN-OS software allows custom URL category lists or external dynamic lists to exclude certain websites from URL category enforcement, potentially resulting in security risks by allowing or blocking more URLs than intended.

The Impact of CVE-2022-0011

The vulnerability may inadvertently permit or deny access to URLs based on patterns in the custom lists, affecting security policy enforcement and potentially exposing networks to threats.

Technical Details of CVE-2022-0011

Vulnerability Description

Entries in custom URL lists that lack correct patterns could match unintended URLs, impacting traffic filtering and security policies.

Affected Systems and Versions

Several versions of PAN-OS, including 10.1.3, 10.0.8, 9.1.12, and all 9.0 versions, are susceptible to this issue, alongside Prisma Access 2.2 and 2.1.

Exploitation Mechanism

No malicious exploitation of this vulnerability has been reported by Palo Alto Networks.

Mitigation and Prevention

Immediate Steps to Take

To mitigate this issue, add a forward slash (/) to the end of hostname patterns in custom URL lists or EDLs. Prisma Access users can enable a specific feature while PAN-OS devices require CLI commands.

Long-Term Security Practices

Evaluate and adjust custom URL lists and EDLs to ensure proper policy rule enforcement. Ensure correct usage of tokens to match desired hostnames effectively.

Patching and Updates

Upgrade to PAN-OS 8.1.21, 9.1.12, 10.0.8, 10.1.3, or Prisma Access 3.0 to access configurable options that enhance security in handling URL category exceptions.