CVE-2022-0022: 
PAN-OS vulnerability analysis and mitigation

CVE-2022-0022 is a vulnerability discovered in Palo Alto Networks PAN-OS software related to the usage of a weak cryptographic algorithm for storing password hashes of administrator and local user accounts. The vulnerability was disclosed on March 9, 2022, affecting multiple versions of PAN-OS software when running in normal (non-FIPS-CC) operational mode (Palo Alto Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.1 (MEDIUM) with the following metrics: Attack Vector: LOCAL, Attack Complexity: HIGH, Privileges Required: HIGH, User Interaction: NONE, Scope: UNCHANGED, Confidentiality Impact: HIGH, Integrity Impact: NONE, Availability Impact: NONE. The weakness type is classified as CWE-916: Use of Password Hash With Insufficient Computational Effort (Palo Alto Advisory).

The vulnerability allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to exploit this weakness, which can be acquired if they gain access to the PAN-OS software configuration (Palo Alto Advisory).

The issue has been fixed in PAN-OS versions 8.1.21, 9.0.17, 9.1.11, 10.0.7, and all later versions. After upgrading to a fixed version, passwords for all existing local user and administrator accounts must be changed to leverage the more secure cryptography for password hashes. Additional mitigation includes ensuring exported firewall configuration files are secured, using complex passwords, and considering switching to FIPS-CC mode (Palo Alto Advisory).