CVE-2024-9472

Summary

A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.

Palo Alto Networks VM-Series, Cloud NGFW, and Prisma Access are not affected.

This issue only affects PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series running these specific versions of PAN-OS:

  • 10.2.7-h12
  • 10.2.8-h10
  • 10.2.9-h9
  • 10.2.9-h11
  • 10.2.10-h2
  • 10.2.10-h3
  • 10.2.11
  • 10.2.11-h1
  • 10.2.11-h2
  • 10.2.11-h3
  • 11.1.2-h9
  • 11.1.2-h12
  • 11.1.3-h2
  • 11.1.3-h4
  • 11.1.3-h6
  • 11.2.2
  • 11.2.2-h1

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS11.2.2 < 11.2.2-h3affected
Palo Alto NetworksPAN-OS11.1.2-h9 < 11.1.2-h14affected
Palo Alto NetworksPAN-OS11.0.0unaffected
Palo Alto NetworksPAN-OS10.2.7-h12 < 10.2.7-h16affected
Palo Alto NetworksPAN-OS10.1.0unaffected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-476: CWE-476 NULL Pointer Dereference

Workarounds

This issue does not impact firewalls that do not have url proxy or any decrypt-policy configured.

The issue can be completely mitigated by setting this option:

set system setting ctd nonblocking-pattern-match disable

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References