PAN-OS Denial of Service (DoS) vulnerability (CVE 2024-3393)

A Denial of Service (DoS) vulnerability (CVE 2024-3393) has been identified in the DNS Security feature of Palo Alto Networks PAN-OS recently.  The vulnerability allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall.  Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Vulnerability

• Denial of Service vulnerability (CVE-2024-3393)

Severity Level

• High

Affected Products

• PAN-OS 11.2:
  • < 11.2.3
• PAN-OS 11.1:
  • < 11.1.5
• PAN-OS 10.2:
  • >= 10.2.8
  • < 10.2.10-h12
  • < 10.2.13-h2
• PAN-OS 10.1
  • >= 10.1.14
  • <10.1.14-h8
• Prisma Access:
  • >= 10.2.8 on PAN-OS
  • < 11.2.3 on PAN-OS

Remediation

• Apply the latest fixes to affected systems ASAP.
  (Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so there is no fix for this release.)

Workaround

• If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below
  • For each Anti-spyware profile, navigate to Objects → Security Profiles → Anti-spyware → (select a profile) → DNS Policies → DNS Security
  • Change the Log Severity to “none” for all configured DNS Security categories and commit the changes (remember to revert the Log Severity settings once the fixes are applied).

Reference

• CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet

Enquiry

• For enquiries, please contact vendor or infosec@cuhk.edu.hk.  Thanks a lot.

Published on: 27 Dec 2024