CVE-2022-0011: PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering
First published: Thu Feb 10 2022(Updated: )
PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com.* will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks PAN-OS | >=8.1.0<8.1.21 | |
| Palo Alto Networks PAN-OS | >=9.0.0<=9.0.15 | |
| Palo Alto Networks PAN-OS | >=9.1.0<9.1.12 | |
| Palo Alto Networks PAN-OS | >=10.0.0<10.0.8 | |
| Palo Alto Networks PAN-OS | >=10.1.0<10.1.3 | |
| Paloaltonetworks Prisma Access | =2.1 | |
| Paloaltonetworks Prisma Access | =2.1 | |
| Paloaltonetworks Prisma Access | =2.2 |
Remedy
PAN-OS 8.1.21, PAN-OS 9.1.12, PAN-OS 10.0.8, PAN-OS 10.1.3, Prisma Access 3.0 Preferred, and Prisma Access 3.0 Innovation all include a customer configurable option to automatically append a forward slash at the end of the hostname pattern for entries without an ending token in a custom URL category list or in an external dynamic list (EDL). Prisma Access customers should refer to “STEP 7” in the following Prisma Access 3.0 documentation to enable this feature: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/prisma-access-service-infrastructure/enable-the-service-infrastructure.html For other PAN-OS appliances, this option is enabled by running these CLI commands: debug device-server append-end-token on commit force Note: This option is disabled by default on PAN-OS 8.1, PAN-OS 9.1, PAN-OS 10.0, and PAN-OS 10.1. This option will be enabled by default starting with the next major version of PAN-OS. This option is not available on PAN-OS 9.0. Customers with PAN-OS 9.0 are advised to apply workarounds or upgrade to PAN-OS 9.1 or a later version. Additionally, customers must evaluate their custom URL category list or their external dynamic list (EDL) and any firewall policy rules that depend on them to determine whether this option provides the desired policy rule enforcement. Example 1: If the firewall policy rule is intended to allow only 'www.example.com' and not to allow access to any other site, such as www.example.com.webiste.test, then use the "debug device-server append-end-token on" CLI command. Example 2: If the firewall policy rule is set to block access to 'www.example.co' and block access to sites such as www.example.com, www.example.co.az, then keep the default setting ("debug device-server append-end-token off" CLI command). You should always use the most appropriate token if you need to match multiple hostnames in a policy rule.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-0011?
CVE-2022-0011 is a vulnerability in PAN-OS software that allows the exclusion of specific websites from URL category enforcement.
How does CVE-2022-0011 affect Paloalto Networks PAN-OS software?
CVE-2022-0011 affects Paloalto Networks PAN-OS software versions 8.1.0 to 8.1.21, 9.0.0 to 9.0.15, 9.1.0 to 9.1.12, 10.0.0 to 10.0.8, and 10.1.0 to 10.1.3.
What is the severity of CVE-2022-0011?
CVE-2022-0011 has a severity rating of 6.5 (medium).
How can I fix CVE-2022-0011?
To fix CVE-2022-0011, update your Paloalto Networks PAN-OS software to the latest version available.
Where can I find more information about CVE-2022-0011?
You can find more information about CVE-2022-0011 on the Palo Alto Networks security website.
- agent/type
- agent/softwarecombine
- agent/severity
- agent/author
- agent/title
- agent/weakness
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/paloaltonetworks
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/8.1.0
- version/palo alto networks pan-os/9.0.0
- version/palo alto networks pan-os/9.0.15
- version/palo alto networks pan-os/9.1.0
- version/palo alto networks pan-os/10.0.0
- version/palo alto networks pan-os/10.1.0
- canonical/paloaltonetworks prisma access
- version/paloaltonetworks prisma access/2.1
- version/paloaltonetworks prisma access/2.2