CVE-2024-3393
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:U/V:C/RE:M/U:Amber
Summary
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | PAN-OS | 11.2.0 < 11.2.3 | affected |
| Palo Alto Networks | PAN-OS | 11.1.0 < 11.1.2-h16 | affected |
| Palo Alto Networks | PAN-OS | 10.2.8 < 10.2.8-h19 | affected |
| Palo Alto Networks | PAN-OS | 10.1.14 < 10.1.14-h8 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.8 | unaffected |
| Palo Alto Networks | PAN-OS | 11.2.0 < 11.2.3 | affected |
Weaknesses
- CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions
Workarounds
If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment.
Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama
For each Anti-spyware profile, navigate to Objects → Security Profiles → Anti-spyware → (select a profile) → DNS Policies → DNS Security.
Change the Log Severity to "none" for all configured DNS Security categories.
Commit the changes.
Remember to revert the Log Severity settings once the fixes are applied.
NGFW managed by Strata Cloud Manager (SCM)
You can choose one of the following mitigation options:
- Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.
- Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case https://support.paloaltonetworks.com/Support/Index .
Prisma Access managed by Strata Cloud Manager (SCM)
Until we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case https://support.paloaltonetworks.com/Support/Index . If you would like to expedite the upgrade, please make a note of that in the support case.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: yes
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.