CVE-2024-9468: PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet (Severity: HIGH)

First published: Wed Oct 09 2024(Updated: )

A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.

Credit: psirt@paloaltonetworks.com

Affected Software	Affected Version	How to fix
Palo Alto Networks PAN-OS	<10.2.9-h11=10.2<11.0.4-h5=11.0<11.1.3=11.1	10.2.9-h11 10.2.10-h4 10.2.11 11.0.4-h5 11.0.6 11.1.3
Palo Alto Networks Cloud NGFW
Palo Alto Networks Prisma Access

Remedy

This issue is fixed in 10.2.9-h11, 10.2.10-h4, PAN-OS 10.2.11, PAN-OS 11.0.4-h5, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions.

Remedy

Customers can block attacks for this vulnerability by disabling this setting: Device > Setup Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection. Customers with a Threat Prevention subscription, who want to keep domain fronting detection enabled, can block attacks for this vulnerability by enabling Threat ID 94971 (introduced in Applications and Threats content version 8854).

Never miss a vulnerability like this again

Reference Links

https://security.paloaltonetworks.com/CVE-2024-9468

agent/references
agent/weakness
agent/type
agent/description
agent/author
collector/nvd-api
source/NVD
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/paloaltonetworks-latest
source/Palo Alto Networks
agent/title
agent/severity
agent/remedy
agent/first-publish-date
agent/tags
agent/event
agent/epss
collector/paloaltonetworks-api
agent/software-canonical-lookup
agent/softwarecombine
collector/epss-latest
source/FIRST
agent/trending
vendor/palo alto networks
canonical/palo alto networks pan-os
version/palo alto networks pan-os/10.2
version/palo alto networks pan-os/11.0
version/palo alto networks pan-os/11.1
canonical/palo alto networks cloud ngfw
canonical/palo alto networks prisma access

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.