Palo Alto Networks Denial of Service Vulnerability Exploited in the Wild (CVE-2024-3393)

Posted by Author Diksha Ojha on Posted on

Palo Alto released a security advisory to address an actively exploited vulnerability, tracked as CVE-2024-3393. The vulnerability impacts Palo Alto Networks software (PAN-OS). Successful exploitation of the vulnerability may lead to a Denial of Service (DoS) attack.

“Palo Alto Networks is aware of customers experiencing this Denial of Service (DoS) when their firewall blocks malicious DNS packets that trigger this issue,” the advisory states.

CISA added the CVE-2024-3393 to the Known Exploited Vulnerabilities Catalog, acknowledging its active exploitation. CISA urged users to patch the vulnerability before January 20, 2025.

Palo Alto Networks software (PAN-OS) is the operating system that powers all Palo Alto Networks next-generation firewalls, essentially acting as the core software. The software enables advanced security features like application identification, content inspection, and user identity recognition on their firewall devices.

Vulnerability Details

The vulnerability exists in the DNS Security feature of Palo Alto Networks software (PAN-OS). An unauthenticated attacker may exploit the vulnerability by sending a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Affected and Patched Versions

Versions Affected Patched
Cloud NGFW None All
PAN-OS 11.2 < 11.2.3 >= 11.2.3
PAN-OS 11.1 < 11.1.5 >= 11.1.5
PAN-OS 10.2 >= 10.2.8
< 10.2.10-h12
< 10.2.13-h2		 < 10.2.8
>= 10.2.10-h12
>= 10.2.13-h2 (ETA: December 31)
PAN-OS 10.1 >= 10.1.14
< 10.1.14-h8		 < 10.1.14
>= 10.1.14-h8
Prisma Access >= 10.2.8 on PAN-OS
< 11.2.3 on PAN-OS		 < 10.2.8 on PAN-OS
>= 11.2.3 on PAN-OS

 

Note: PAN-OS 11.0 reached the End of Life (EOL) on November 17, 2024, so there will be no fix for this release.

For more information, please refer to the Palo Alto Networks Security Advisory.

Workaround

Use the solution listed below, depending on your deployment, if your firewall running the vulnerable PAN-OS versions abruptly reboots or stops functioning and you cannot immediately apply a fix.

Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama

  1. For each Anti-spyware profile, navigate to Objects → Security Profiles → Anti-spyware → (select a profile) → DNS Policies → DNS Security.
  2. Change the Log Severity to “none” for all configured DNS Security categories.
  3. Commit the changes.

NGFW managed by Strata Cloud Manager (SCM)

Users can choose one of the following mitigation options:

  1. Disabling DNS Security logging directly on each NGFW by following the PAN-OS steps above.
  2. Disabling DNS Security logging across all NGFWs in your tenant by opening a support case.

Qualys Detection

Qualys customers can scan their devices with QID 732136 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://security.paloaltonetworks.com/CVE-2024-3393

Leave a Reply

Your email address will not be published. Required fields are marked *