Exploited
8.7
CWE
754
Advisory Published
CVE Published
Updated
Advisory Published

CVE-2024-3393: PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet

First published: Fri Dec 27 2024(Updated: )

A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Credit: psirt@paloaltonetworks.com psirt@paloaltonetworks.com

Affected SoftwareAffected VersionHow to fix
Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS>=11.1.0<=11.1.1
Palo Alto Networks PAN-OS>=11.2.0<11.2.3
Palo Alto Networks PAN-OS=10.1.14
Palo Alto Networks PAN-OS=10.1.14-h2
Palo Alto Networks PAN-OS=10.1.14-h4
Palo Alto Networks PAN-OS=10.1.14-h6
Palo Alto Networks PAN-OS=10.2.8
Palo Alto Networks PAN-OS=10.2.8-h10
Palo Alto Networks PAN-OS=10.2.8-h13
Palo Alto Networks PAN-OS=10.2.8-h15
Palo Alto Networks PAN-OS=10.2.8-h18
Palo Alto Networks PAN-OS=10.2.8-h3
Palo Alto Networks PAN-OS=10.2.8-h4
Palo Alto Networks PAN-OS=10.2.9
Palo Alto Networks PAN-OS=10.2.9-h1
Palo Alto Networks PAN-OS=10.2.9-h11
Palo Alto Networks PAN-OS=10.2.9-h14
Palo Alto Networks PAN-OS=10.2.9-h16
Palo Alto Networks PAN-OS=10.2.9-h18
Palo Alto Networks PAN-OS=10.2.9-h9
Palo Alto Networks PAN-OS=10.2.10
Palo Alto Networks PAN-OS=10.2.10-h10
Palo Alto Networks PAN-OS=10.2.10-h2
Palo Alto Networks PAN-OS=10.2.10-h3
Palo Alto Networks PAN-OS=10.2.10-h4
Palo Alto Networks PAN-OS=10.2.10-h5
Palo Alto Networks PAN-OS=10.2.10-h7
Palo Alto Networks PAN-OS=10.2.10-h9
Palo Alto Networks PAN-OS=10.2.11
Palo Alto Networks PAN-OS=10.2.11-h1
Palo Alto Networks PAN-OS=10.2.11-h2
Palo Alto Networks PAN-OS=10.2.11-h3
Palo Alto Networks PAN-OS=10.2.11-h4
Palo Alto Networks PAN-OS=10.2.11-h6
Palo Alto Networks PAN-OS=10.2.11-h9
Palo Alto Networks PAN-OS=10.2.12
Palo Alto Networks PAN-OS=10.2.12-h1
Palo Alto Networks PAN-OS=10.2.12-h2
Palo Alto Networks PAN-OS=10.2.12-h3
Palo Alto Networks PAN-OS=10.2.13
Palo Alto Networks PAN-OS=10.2.13-h1
Palo Alto Networks PAN-OS=11.1.2
Palo Alto Networks PAN-OS=11.1.2-h1
Palo Alto Networks PAN-OS=11.1.2-h12
Palo Alto Networks PAN-OS=11.1.2-h14
Palo Alto Networks PAN-OS=11.1.2-h15
Palo Alto Networks PAN-OS=11.1.2-h3
Palo Alto Networks PAN-OS=11.1.2-h4
Palo Alto Networks PAN-OS=11.1.2-h9
Palo Alto Networks PAN-OS=11.1.3
Palo Alto Networks PAN-OS=11.1.3-h1
Palo Alto Networks PAN-OS=11.1.3-h10
Palo Alto Networks PAN-OS=11.1.3-h11
Palo Alto Networks PAN-OS=11.1.3-h2
Palo Alto Networks PAN-OS=11.1.3-h4
Palo Alto Networks PAN-OS=11.1.3-h6
Palo Alto Networks PAN-OS=11.1.4
Palo Alto Networks PAN-OS=11.1.4-h1
Palo Alto Networks PAN-OS=11.1.4-h4
All of
Paloaltonetworks Prisma Access
Any of
Palo Alto Networks PAN-OS>=10.2.11<11.2.3
Palo Alto Networks PAN-OS=10.2.8
Palo Alto Networks PAN-OS=10.2.8-h10
Palo Alto Networks PAN-OS=10.2.8-h13
Palo Alto Networks PAN-OS=10.2.8-h15
Palo Alto Networks PAN-OS=10.2.8-h18
Palo Alto Networks PAN-OS=10.2.8-h19
Palo Alto Networks PAN-OS=10.2.8-h3
Palo Alto Networks PAN-OS=10.2.8-h4
Palo Alto Networks PAN-OS=10.2.9
Palo Alto Networks PAN-OS=10.2.9-h1
Palo Alto Networks PAN-OS=10.2.9-h11
Palo Alto Networks PAN-OS=10.2.9-h14
Palo Alto Networks PAN-OS=10.2.9-h16
Palo Alto Networks PAN-OS=10.2.9-h18
Palo Alto Networks PAN-OS=10.2.9-h9
Palo Alto Networks PAN-OS=10.2.10
Palo Alto Networks PAN-OS=10.2.10-h10
Palo Alto Networks PAN-OS=10.2.10-h2
Palo Alto Networks PAN-OS=10.2.10-h3
Palo Alto Networks PAN-OS=10.2.10-h4
Palo Alto Networks PAN-OS=10.2.10-h5
Palo Alto Networks PAN-OS=10.2.10-h7
Palo Alto Networks PAN-OS=10.2.10-h9
Palo Alto Networks Cloud NGFW
Palo Alto Networks PAN-OS<11.2.3=11.2.0<11.1.5=11.1.0
11.2.3
11.1.5
11.1.4-h7
11.1.2-h16
11.1.3-h13

Remedy

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Remedy

If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment. Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama 1. Ensure that a DNS Security Configuration is already present in the device's configuration. See the "Required Configuration for Exposure" section for details. 2. Within Objects → Security Profiles (https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-web-interface-help/objects/objects-security-profiles-anti-spyware-profile), determine if you use the predefined Anti-Spyware profiles (https://docs.paloaltonetworks.com/network-security/security-policy/administration/security-profiles/security-profile-anti-spyware) in your Security Policy. These are named "Default" or "Strict" (https://docs.paloaltonetworks.com/network-security/security-policy/administration/security-profiles/security-profile-anti-spyware). If you are using the predefined security profiles, clone the predefined Anti-Spyware profile (https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-web-interface-help/objects/move-clone-override-or-revert-objects/move-or-clone-an-object) for use as a custom Anti-Spyware profile. After cloning each relevant predefined Anti-Spyware profile, replace them with the cloned custom Anti-Spyware profile or group in your Security Rules (Policies → Security → (security rule) in either Actions → Profiles or Actions → Group (https://docs.paloaltonetworks.com/network-security/security-policy/administration/security-rules/create-a-security-policy-rule#create-a-security-policy-rule-panorama)). 3. For each custom Anti-Spyware profile, navigate to Objects → Security Profiles → Anti-Spyware → (select a custom profile) → DNS Policies → DNS Security. 4. Change the Log Severity to "none" for all configured DNS Security categories. 5. Commit the changes. Note 1: Setting Log Severity to 'none' for devices that didn't have a DNS Security configuration may block DNS traffic that wasn’t previously blocked. Additionally, this may happen without generating any log entries, making it difficult to detect the blocked traffic. Review the Required Configuration for Exposure section for instructions on identifying existing DNS Security Configuration. Note 2: Remember to revert the Log Severity settings once the fixes are applied. NGFW managed by Strata Cloud Manager (SCM) You can choose one of the following mitigation options: 1. Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above. 2. Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case (https://support.paloaltonetworks.com/Support/Index). Prisma Access managed by Strata Cloud Manager (SCM) Until we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case (https://support.paloaltonetworks.com/Support/Index). If you would like to expedite the upgrade, please make a note of that in the support case.

Remedy

This issue is fixed in PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions. Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release. Prisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case (https://support.paloaltonetworks.com/Support/Index). In addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases. Additional PAN-OS 11.1 releases with the fix: * 11.1.2-h16 (available) * 11.1.3-h13 (available) * 11.1.4-h7 (available) * 11.1.5 (available) Additional PAN-OS 10.2 releases with the fix: * 10.2.8-h19 (available) * 10.2.9-h19 (available) * 10.2.10-h12 (available) * 10.2.11-h10 (available) * 10.2.12-h4 (available) * 10.2.13-h2 (available) * 10.2.14 (ETA: early March) Additional PAN-OS 10.1 releases with the fix: * 10.1.14-h8 (available) * 10.1.15 (ETA: end of February) Additional PAN-OS releases with the fix only applicable to Prisma Access: * 10.2.9-h19 (available) * 10.2.10-h12 (available)

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2024-3393?

    CVE-2024-3393 has a high severity because it allows an unauthenticated attacker to remotely reboot the affected firewall due to a Denial of Service vulnerability.

  • How do I fix CVE-2024-3393?

    To fix CVE-2024-3393, you should upgrade your Palo Alto Networks PAN-OS to a version that addresses this vulnerability, specifically versions 11.2.3, 11.1.5, 11.1.4-h6, 11.1.2-h16, or 11.1.3-h13.

  • What types of Palo Alto Networks products are affected by CVE-2024-3393?

    CVE-2024-3393 affects the Palo Alto Networks PAN-OS and Cloud NGFW products.

  • What happens if CVE-2024-3393 is exploited?

    If exploited, CVE-2024-3393 allows attackers to send a malicious packet that causes the affected firewall to reboot, resulting in a Denial of Service.

  • Is there a work-around for CVE-2024-3393?

    Currently, there is no known work-around for CVE-2024-3393, so upgrading the affected software is the recommended action.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203