Palo Alto Networks has disclosed a high-severity vulnerability that affects the PAN-OS software and could cause a Denial of Service (DoS) condition on sensitive devices.
The vulnerability, tracked as CVE-2024-3393 (CVSS score: 8.7), affects PAN-OS versions 10.X and 11.X, as well as Prisma Access with PAN-OS versions. It was addressed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later versions of PAN-OS.
“A denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall, which resets the firewall,” the company said in a statement. said in Friday’s advisory.
“Repeated attempts to invoke this condition will cause the firewall to enter maintenance mode.”
Palo Alto Networks said it discovered the bug in production and is aware that customers “are experiencing a denial of service (DoS) when their firewall blocks malicious DNS packets that cause this issue.”
The scope of the activity is still unknown. Hacker News has reached out to Palo Alto Networks for further comment and we will update when we hear back.
It should be noted that CVE-2024-3393 affects firewalls that have DNS Security logging enabled. The severity of the flaw is also downgraded to a CVSS score of 7.1 when access is granted only to authenticated end users through Prisma Access.
Fixes have also been rolled out to other frequently deployed maintenance releases –
- PAN-OS 11.1 (11.1.2-h16, 11.1.3-h13, 11.1.4-h7 and 11.1.5)
- PAN-OS 10.2 (10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2 and 10.2.14)
- PAN-OS 10.1 (10.1.14-h8 and 10.1.15)
- PAN-OS 10.2.9-h19 and 10.2.10-h12 (only applies to Prisma Access)
- PAN-OS 11.0 (No fix because it crashed on November 17, 2024)
As workarounds and mitigations for unmanaged or Panorama-managed firewalls, customers have the option to set the log severity to none for all configured DNS security categories for each Anti-spyware profile by going to Objects > Security Profiles > Anti-Spyware > (select a profile) > DNS Policies > DNS Security.
For firewalls managed by Strata Cloud Manager (SCM), users can either follow the steps above to disable DNS security logging directly on each device or on all of them by opening a support ticket. For Prisma Access tenants managed by SCM, it is recommended that you open a support ticket to disable logging until the upgrade is performed.
