First published: Fri Dec 27 2024(Updated: )
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
Credit: psirt@paloaltonetworks.com psirt@paloaltonetworks.com
Affected Software | Affected Version | How to fix |
---|---|---|
Palo Alto Networks PAN-OS | ||
Palo Alto Networks PAN-OS | >=11.1.0<=11.1.1 | |
Palo Alto Networks PAN-OS | >=11.2.0<11.2.3 | |
Palo Alto Networks PAN-OS | =10.1.14 | |
Palo Alto Networks PAN-OS | =10.1.14-h2 | |
Palo Alto Networks PAN-OS | =10.1.14-h4 | |
Palo Alto Networks PAN-OS | =10.1.14-h6 | |
Palo Alto Networks PAN-OS | =10.2.8 | |
Palo Alto Networks PAN-OS | =10.2.8-h10 | |
Palo Alto Networks PAN-OS | =10.2.8-h13 | |
Palo Alto Networks PAN-OS | =10.2.8-h15 | |
Palo Alto Networks PAN-OS | =10.2.8-h18 | |
Palo Alto Networks PAN-OS | =10.2.8-h3 | |
Palo Alto Networks PAN-OS | =10.2.8-h4 | |
Palo Alto Networks PAN-OS | =10.2.9 | |
Palo Alto Networks PAN-OS | =10.2.9-h1 | |
Palo Alto Networks PAN-OS | =10.2.9-h11 | |
Palo Alto Networks PAN-OS | =10.2.9-h14 | |
Palo Alto Networks PAN-OS | =10.2.9-h16 | |
Palo Alto Networks PAN-OS | =10.2.9-h18 | |
Palo Alto Networks PAN-OS | =10.2.9-h9 | |
Palo Alto Networks PAN-OS | =10.2.10 | |
Palo Alto Networks PAN-OS | =10.2.10-h10 | |
Palo Alto Networks PAN-OS | =10.2.10-h2 | |
Palo Alto Networks PAN-OS | =10.2.10-h3 | |
Palo Alto Networks PAN-OS | =10.2.10-h4 | |
Palo Alto Networks PAN-OS | =10.2.10-h5 | |
Palo Alto Networks PAN-OS | =10.2.10-h7 | |
Palo Alto Networks PAN-OS | =10.2.10-h9 | |
Palo Alto Networks PAN-OS | =10.2.11 | |
Palo Alto Networks PAN-OS | =10.2.11-h1 | |
Palo Alto Networks PAN-OS | =10.2.11-h2 | |
Palo Alto Networks PAN-OS | =10.2.11-h3 | |
Palo Alto Networks PAN-OS | =10.2.11-h4 | |
Palo Alto Networks PAN-OS | =10.2.11-h6 | |
Palo Alto Networks PAN-OS | =10.2.11-h9 | |
Palo Alto Networks PAN-OS | =10.2.12 | |
Palo Alto Networks PAN-OS | =10.2.12-h1 | |
Palo Alto Networks PAN-OS | =10.2.12-h2 | |
Palo Alto Networks PAN-OS | =10.2.12-h3 | |
Palo Alto Networks PAN-OS | =10.2.13 | |
Palo Alto Networks PAN-OS | =10.2.13-h1 | |
Palo Alto Networks PAN-OS | =11.1.2 | |
Palo Alto Networks PAN-OS | =11.1.2-h1 | |
Palo Alto Networks PAN-OS | =11.1.2-h12 | |
Palo Alto Networks PAN-OS | =11.1.2-h14 | |
Palo Alto Networks PAN-OS | =11.1.2-h15 | |
Palo Alto Networks PAN-OS | =11.1.2-h3 | |
Palo Alto Networks PAN-OS | =11.1.2-h4 | |
Palo Alto Networks PAN-OS | =11.1.2-h9 | |
Palo Alto Networks PAN-OS | =11.1.3 | |
Palo Alto Networks PAN-OS | =11.1.3-h1 | |
Palo Alto Networks PAN-OS | =11.1.3-h10 | |
Palo Alto Networks PAN-OS | =11.1.3-h11 | |
Palo Alto Networks PAN-OS | =11.1.3-h2 | |
Palo Alto Networks PAN-OS | =11.1.3-h4 | |
Palo Alto Networks PAN-OS | =11.1.3-h6 | |
Palo Alto Networks PAN-OS | =11.1.4 | |
Palo Alto Networks PAN-OS | =11.1.4-h1 | |
Palo Alto Networks PAN-OS | =11.1.4-h4 | |
All of | ||
Paloaltonetworks Prisma Access | ||
Any of | ||
Palo Alto Networks PAN-OS | >=10.2.11<11.2.3 | |
Palo Alto Networks PAN-OS | =10.2.8 | |
Palo Alto Networks PAN-OS | =10.2.8-h10 | |
Palo Alto Networks PAN-OS | =10.2.8-h13 | |
Palo Alto Networks PAN-OS | =10.2.8-h15 | |
Palo Alto Networks PAN-OS | =10.2.8-h18 | |
Palo Alto Networks PAN-OS | =10.2.8-h19 | |
Palo Alto Networks PAN-OS | =10.2.8-h3 | |
Palo Alto Networks PAN-OS | =10.2.8-h4 | |
Palo Alto Networks PAN-OS | =10.2.9 | |
Palo Alto Networks PAN-OS | =10.2.9-h1 | |
Palo Alto Networks PAN-OS | =10.2.9-h11 | |
Palo Alto Networks PAN-OS | =10.2.9-h14 | |
Palo Alto Networks PAN-OS | =10.2.9-h16 | |
Palo Alto Networks PAN-OS | =10.2.9-h18 | |
Palo Alto Networks PAN-OS | =10.2.9-h9 | |
Palo Alto Networks PAN-OS | =10.2.10 | |
Palo Alto Networks PAN-OS | =10.2.10-h10 | |
Palo Alto Networks PAN-OS | =10.2.10-h2 | |
Palo Alto Networks PAN-OS | =10.2.10-h3 | |
Palo Alto Networks PAN-OS | =10.2.10-h4 | |
Palo Alto Networks PAN-OS | =10.2.10-h5 | |
Palo Alto Networks PAN-OS | =10.2.10-h7 | |
Palo Alto Networks PAN-OS | =10.2.10-h9 | |
Palo Alto Networks Cloud NGFW | ||
Palo Alto Networks PAN-OS | <11.2.3=11.2.0<11.1.5=11.1.0 | 11.2.3 11.1.5 11.1.4-h7 11.1.2-h16 11.1.3-h13 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment. Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama 1. Ensure that a DNS Security Configuration is already present in the device's configuration. See the "Required Configuration for Exposure" section for details. 2. Within Objects → Security Profiles (https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-web-interface-help/objects/objects-security-profiles-anti-spyware-profile), determine if you use the predefined Anti-Spyware profiles (https://docs.paloaltonetworks.com/network-security/security-policy/administration/security-profiles/security-profile-anti-spyware) in your Security Policy. These are named "Default" or "Strict" (https://docs.paloaltonetworks.com/network-security/security-policy/administration/security-profiles/security-profile-anti-spyware). If you are using the predefined security profiles, clone the predefined Anti-Spyware profile (https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-web-interface-help/objects/move-clone-override-or-revert-objects/move-or-clone-an-object) for use as a custom Anti-Spyware profile. After cloning each relevant predefined Anti-Spyware profile, replace them with the cloned custom Anti-Spyware profile or group in your Security Rules (Policies → Security → (security rule) in either Actions → Profiles or Actions → Group (https://docs.paloaltonetworks.com/network-security/security-policy/administration/security-rules/create-a-security-policy-rule#create-a-security-policy-rule-panorama)). 3. For each custom Anti-Spyware profile, navigate to Objects → Security Profiles → Anti-Spyware → (select a custom profile) → DNS Policies → DNS Security. 4. Change the Log Severity to "none" for all configured DNS Security categories. 5. Commit the changes. Note 1: Setting Log Severity to 'none' for devices that didn't have a DNS Security configuration may block DNS traffic that wasn’t previously blocked. Additionally, this may happen without generating any log entries, making it difficult to detect the blocked traffic. Review the Required Configuration for Exposure section for instructions on identifying existing DNS Security Configuration. Note 2: Remember to revert the Log Severity settings once the fixes are applied. NGFW managed by Strata Cloud Manager (SCM) You can choose one of the following mitigation options: 1. Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above. 2. Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case (https://support.paloaltonetworks.com/Support/Index). Prisma Access managed by Strata Cloud Manager (SCM) Until we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case (https://support.paloaltonetworks.com/Support/Index). If you would like to expedite the upgrade, please make a note of that in the support case.
This issue is fixed in PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions. Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release. Prisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case (https://support.paloaltonetworks.com/Support/Index). In addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases. Additional PAN-OS 11.1 releases with the fix: * 11.1.2-h16 (available) * 11.1.3-h13 (available) * 11.1.4-h7 (available) * 11.1.5 (available) Additional PAN-OS 10.2 releases with the fix: * 10.2.8-h19 (available) * 10.2.9-h19 (available) * 10.2.10-h12 (available) * 10.2.11-h10 (available) * 10.2.12-h4 (available) * 10.2.13-h2 (available) * 10.2.14 (ETA: early March) Additional PAN-OS 10.1 releases with the fix: * 10.1.14-h8 (available) * 10.1.15 (ETA: end of February) Additional PAN-OS releases with the fix only applicable to Prisma Access: * 10.2.9-h19 (available) * 10.2.10-h12 (available)
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-3393 has a high severity because it allows an unauthenticated attacker to remotely reboot the affected firewall due to a Denial of Service vulnerability.
To fix CVE-2024-3393, you should upgrade your Palo Alto Networks PAN-OS to a version that addresses this vulnerability, specifically versions 11.2.3, 11.1.5, 11.1.4-h6, 11.1.2-h16, or 11.1.3-h13.
CVE-2024-3393 affects the Palo Alto Networks PAN-OS and Cloud NGFW products.
If exploited, CVE-2024-3393 allows attackers to send a malicious packet that causes the affected firewall to reboot, resulting in a Denial of Service.
Currently, there is no known work-around for CVE-2024-3393, so upgrading the affected software is the recommended action.