Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-0011

CVE-2022-0011: Palo Alto PAN-OS URL Filter Vulnerability

CVE-2022-0011 is an information disclosure vulnerability in Palo Alto Networks PAN-OS affecting URL filtering. Wildcard patterns may unintentionally allow or block URLs, creating security risks. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2022-0011 Overview

CVE-2022-0011 is a URL filtering bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access products. The vulnerability stems from improper pattern matching behavior in custom URL category lists and external dynamic lists (EDL) used for URL filtering enforcement. When hostname patterns in these lists do not end with a forward slash (/) or contain certain wildcard characters, the matching logic may inadvertently allow or block more URLs than intended.

This behavior creates a security risk where attackers could craft URLs that exploit the overly permissive pattern matching to bypass security policies, potentially accessing blocked content or exfiltrating data through unintended URL matches.

Critical Impact

Security policies using custom URL categories or EDLs may permit unintended traffic, allowing attackers to bypass URL filtering controls and potentially access malicious or restricted websites.

Affected Products

  • Palo Alto Networks PAN-OS versions earlier than 10.1.3
  • Palo Alto Networks PAN-OS versions earlier than 10.0.8
  • Palo Alto Networks PAN-OS versions earlier than 9.1.12
  • All Palo Alto Networks PAN-OS 9.0 versions
  • Palo Alto Networks PAN-OS versions earlier than 8.1.21
  • Palo Alto Networks Prisma Access 2.1 and 2.2

Discovery Timeline

  • 2022-02-10 - CVE-2022-0011 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0011

Vulnerability Analysis

The vulnerability exists in how PAN-OS interprets hostname patterns within URL filtering profiles. When administrators configure custom URL category lists or external dynamic lists (EDL), the system uses pattern matching to determine whether a URL should be allowed or blocked based on configured policies.

The core issue is that hostname patterns without proper termination characters are interpreted more broadly than expected. For instance, an entry for example.com will match any URL that starts with that string, including example.com.malicious-site.test. This Interpretation Type Confusion (CWE-436) leads to unintended policy behavior.

The vulnerability has significant integrity impact because it allows traffic that should be blocked to pass through, or conversely blocks traffic that should be allowed. While confidentiality and availability are not directly impacted, the security policy bypass can enable further attacks by allowing access to malicious resources.

Root Cause

The root cause is improper handling of hostname pattern matching in URL filtering logic. The system treats incomplete hostname patterns (those not ending with /) as prefix matches rather than exact domain matches. This design decision creates ambiguity in policy enforcement when administrators expect exact domain matching but receive substring matching instead.

The pattern matching behavior follows these rules:

  • example.com matches any URL starting with example.com, including example.com.website.test
  • example.com.* matches URLs like example.com.website.test
  • example.com.^ matches any top-level domain variant like example.com.test

Attack Vector

This is a network-based attack vector that requires low privileges (authenticated user or network access) to exploit. An attacker with knowledge of the URL filtering rules in place can craft malicious URLs that exploit the pattern matching behavior to bypass security controls.

The attack scenario typically involves:

  1. The attacker identifies that the target organization uses Palo Alto Networks firewalls with URL filtering
  2. The attacker determines or guesses entries in the URL category allow lists
  3. The attacker registers or utilizes domains that would match the overly permissive patterns (e.g., if trusted-service.com is allowed, the attacker uses trusted-service.com.attacker-domain.test)
  4. Malicious traffic flows through the firewall as it matches the allow-list pattern

The vulnerability does not require user interaction to exploit once the attacker can route traffic through the affected firewall with misconfigured URL filtering rules.

Detection Methods for CVE-2022-0011

Indicators of Compromise

  • Unusual traffic to domains that appear to be subdomains of legitimate allowed domains but have additional suffixes
  • Access logs showing connections to domains matching pattern [allowed-domain].[malicious-domain]
  • URL filtering logs with unexpected pattern matches in custom categories

Detection Strategies

  • Audit all custom URL category lists and EDL entries for patterns lacking a trailing forward slash
  • Review URL filtering logs for traffic that matched custom categories but accessed unexpected destinations
  • Implement DNS monitoring to detect resolution of domains designed to exploit pattern matching weaknesses
  • Cross-reference firewall allow decisions with threat intelligence feeds to identify potentially malicious matches

Monitoring Recommendations

  • Enable detailed logging for URL filtering profile matches to track pattern-based decisions
  • Configure alerts for traffic matching custom URL categories to unexpected destination networks
  • Monitor external dynamic list update events and validate list contents against expected patterns
  • Review traffic analytics for anomalies in allowed URL categories that may indicate exploitation

How to Mitigate CVE-2022-0011

Immediate Actions Required

  • Audit all custom URL category lists and external dynamic lists for improperly terminated hostname patterns
  • Add trailing forward slashes (/) to all hostname entries that require exact domain matching
  • Review and update URL filtering policies to use explicit patterns instead of wildcards where possible
  • Test updated patterns in a non-production environment before deployment

Patch Information

Palo Alto Networks has addressed this vulnerability in the following versions:

  • PAN-OS 10.1.3 and later
  • PAN-OS 10.0.8 and later
  • PAN-OS 9.1.12 and later
  • PAN-OS 8.1.21 and later

For PAN-OS 9.0 users, upgrading to a supported version is required as 9.0 has reached end-of-life status. Prisma Access customers should contact Palo Alto Networks support for upgrade guidance. For detailed patch information, refer to the Palo Alto Networks Security Advisory.

Workarounds

  • Replace wildcard patterns with explicit hostname lists ending with forward slashes (e.g., use example.com/ instead of example.com)
  • Implement additional security controls such as DNS filtering to validate domain legitimacy
  • Use stricter URL filtering modes that require exact matches for custom categories
  • Consider implementing application-layer inspection to validate traffic beyond URL pattern matching
bash
# Example: Correcting URL category patterns in PAN-OS CLI
# Incorrect pattern (vulnerable):
# set profiles url-filtering custom-url-category allowed-sites list example.com

# Correct pattern (secure - note the trailing slash):
set profiles url-filtering custom-url-category allowed-sites list "example.com/"

# Verify current patterns in custom URL categories:
show running url-filtering custom-url-category

# Commit changes after corrections:
commit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne