CVE-2024-3385

Summary

A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.

This affects the following hardware firewall models:

  • PA-5400 Series firewalls
  • PA-7000 Series firewalls

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksPAN-OS9.0.0 < 9.0.17-h4affected
Palo Alto NetworksPAN-OS9.1.0 < 9.1.17affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.12affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.8affected
Palo Alto NetworksPAN-OS11.0.0 < 11.0.3affected
Palo Alto NetworksPAN-OS11.1.0unaffected
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation
  • CWE-476: CWE-476: NULL Pointer Dereference

Workarounds

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94993 (introduced in Applications and Threats content version 8832).

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References