Exploitation of CVE-2024-3393 has been reported and could lead to a denial-of-service condition on PAN-OS firewalls

Threat ID:CC-4597

Threat Severity:Medium

Published:27 December 2024 11:36 AM

Summary

Affected platforms

The following platforms are known to be affected:

Palo Alto Networks PAN-OS

PAN-OS 10.1.14 before 10.1.14-h8

PAN-OS 10.2 from 10.2.8 before 10.2.10-h12 and 10.2.13-h2

PAN-OS 11.1 before 11.1.15

PAN-OS 11.2 before 11.2.3

Prisma Access on PAN-OS 10.2.8 to 11.2

PAN-OS 11.0 is affected by this issue but has reached end of life (EOL)

Cloud NGFW is not affected

DNS Security logging must be enabled for this vulnerability to affect PAN-OS software

Threat details

Exploitation of CVE-2024-3393 reported

Palo Alto Networks is aware of customers experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger CVE-2024-3393.

Introduction

Palo Alto Networks has issued a security bulletin for a high severity denial-of-service (DoS) vulnerability affecting the DNS Security feature of the PAN-OS next-generation firewall (NGFW). DNS Security logging must be enabled for this issue to affect PAN-OS software. DNS Security is an optional add-on subscription that provides a comprehensive security solution to protect against DNS-based threats on PAN-OS devices.

CVE-2024-3393 has a maximum CVSSv4 score of 8.7, which if exploited could allow an unauthenticated attacker to send a malicious packet to the PAN-OS firewall, causing the firewall to reboot upon processing the packet. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Remediation advice

Affected organisations are encouraged to review the Palo Alto Networks security advisory CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet and apply the relevant updates as soon as practicable.

If a firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and a fix cannot immediately be applied, organisations should apply a workaround below based on the deployment.

Note: Updates for Prisma Access will be deployed by Palo Alto in two phases on the weekends of January 3rd 2025 and January 10th 2025. Prisma Access customers should apply one of the workarounds detailed below until then.

Remediation steps


Patch	This issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions. Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so Palo Alto does not intend to provide a fix for this release. Palo Alto has additionally made fixes available for other TAC-preferred and commonly deployed maintenance releases. Please review the Palo Alto advisory for full details. https://security.paloaltonetworks.com/CVE-2024-3393
Action	Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama For each Anti-spyware profile, navigate to Objects → Security Profiles → Anti-spyware → (select a profile) → DNS Policies → DNS Security. Change the Log Severity to 'none' for all configured DNS security categories. Commit the changes. Palo Alto additionally advise reverting the Log Severity settings described above once the security patches are applied. https://security.paloaltonetworks.com/CVE-2024-3393
Action	NGFW managed by Strata Cloud Manager (SCM) Affected organisations can choose one of the following mitigation options: Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above. Option 2: Disable DNS Security logging across all NGFWs in the tenant by opening a support case. https://security.paloaltonetworks.com/CVE-2024-3393
Action	Prisma Access managed by Strata Cloud Manager (SCM) Until Palo Alto performs an upgrade of an affected Prisma Access tenant, organisations can disable DNS Security logging across all NGFWs in the tenant by opening a support case. To expedite the upgrade, please make a note in the support case. https://security.paloaltonetworks.com/CVE-2024-3393

Definitive source of threat updates

https://security.paloaltonetworks.com/CVE-2024-3393

CVE Vulnerabilities

StatusPublished

CVE-2024-3393A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Last edited: 27 December 2024 11:36 am