CVE-2024-9472
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber
Summary
A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.
Palo Alto Networks VM-Series, Cloud NGFW, and Prisma Access are not affected.
This issue only affects PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series running these specific versions of PAN-OS:
- 10.2.7-h12
- 10.2.8-h10
- 10.2.9-h9
- 10.2.9-h11
- 10.2.10-h2
- 10.2.10-h3
- 10.2.11
- 10.2.11-h1
- 10.2.11-h2
- 10.2.11-h3
- 11.1.2-h9
- 11.1.2-h12
- 11.1.3-h2
- 11.1.3-h4
- 11.1.3-h6
- 11.2.2
- 11.2.2-h1
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | PAN-OS | 11.2.2 < 11.2.2-h3 | affected |
| Palo Alto Networks | PAN-OS | 11.1.2-h9 < 11.1.2-h14 | affected |
| Palo Alto Networks | PAN-OS | 11.0.0 | unaffected |
| Palo Alto Networks | PAN-OS | 10.2.7-h12 < 10.2.7-h16 | affected |
| Palo Alto Networks | PAN-OS | 10.1.0 | unaffected |
| Palo Alto Networks | Prisma Access | All | unaffected |
Weaknesses
- CWE-476: CWE-476 NULL Pointer Dereference
Workarounds
This issue does not impact firewalls that do not have url proxy or any decrypt-policy configured.
The issue can be completely mitigated by setting this option:
set system setting ctd nonblocking-pattern-match disable
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.