CVE-2024-3386: PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended
First published: Wed Apr 10 2024(Updated: )
An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks PAN-OS | >=9.0.0<9.0.16 | |
| Palo Alto Networks PAN-OS | >=9.1.0<9.1.17 | |
| Palo Alto Networks PAN-OS | >=10.0.0<10.0.13 | |
| Palo Alto Networks PAN-OS | >=10.1.0<=10.1.8 | |
| Palo Alto Networks PAN-OS | >=10.2.0<10.2.4 | |
| Palo Alto Networks PAN-OS | >=11.0.0<11.0.1 | |
| Palo Alto Networks PAN-OS | =9.0.17 | |
| Palo Alto Networks PAN-OS | =9.0.17-h1 | |
| Palo Alto Networks PAN-OS | =10.1.9 | |
| Palo Alto Networks PAN-OS | =10.1.9-h1 | |
| Palo Alto Networks PAN-OS | =10.2.4 | |
| Palo Alto Networks PAN-OS | =11.0.1 | |
| Palo Alto PAN-OS |
Remedy
This issue is fixed in 9.0.17-h2, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h3, 10.1.10, 10.2.4-h2, 10.2.5, 11.0.1-h2, 11.0.2, 11.1.0 and all later PAN-OS versions.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-3386?
CVE-2024-3386 has been classified as a medium-severity vulnerability.
How do I fix CVE-2024-3386?
To remediate CVE-2024-3386, upgrade your Palo Alto Networks PAN-OS to a version that addresses the vulnerability.
Which versions of PAN-OS are affected by CVE-2024-3386?
CVE-2024-3386 affects PAN-OS versions prior to 9.0.17, 9.1.17, 10.0.13, 10.1.8, 10.2.4, and 11.0.1.
What does CVE-2024-3386 exploit?
CVE-2024-3386 exploits an incorrect string comparison that affects Predefined Decryption Exclusions functionality in PAN-OS.
Can CVE-2024-3386 impact my network security?
Yes, CVE-2024-3386 can lead to unintended exclusion of traffic from decryption, potentially exposing sensitive data.
- agent/weakness
- agent/title
- agent/references
- agent/remedy
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- vendor/paloaltonetworks
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/9.0.0
- version/palo alto networks pan-os/9.1.0
- version/palo alto networks pan-os/10.0.0
- version/palo alto networks pan-os/10.1.0
- version/palo alto networks pan-os/10.1.8
- version/palo alto networks pan-os/10.2.0
- version/palo alto networks pan-os/11.0.0
- version/palo alto networks pan-os/9.0.17
- version/palo alto networks pan-os/9.0.17-h1
- version/palo alto networks pan-os/10.1.9
- version/palo alto networks pan-os/10.1.9-h1
- version/palo alto networks pan-os/10.2.4
- version/palo alto networks pan-os/11.0.1
- vendor/palo alto networks
- canonical/palo alto pan-os