Full Report
Palo Alto Networks has disclosed a high-severity vulnerability impacting PAN-OS software that could cause a denial-of-service (DoS) condition on susceptible devices. The flaw, tracked as CVE-2024-3393 (CVSS score: 8.7), impacts PAN-OS versions 10.X and 11.X, as well as Prisma Access running PAN-OS versions. It has been addressed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS
Analysis Summary
# Vulnerability: PAN-OS DNS Security Denial-of-Service (DoS) Flaw
## CVE Details
- CVE ID: CVE-2024-3393
- CVSS Score: 8.7 (High)
- CWE: (Not explicitly stated, likely related to improper input validation or resource exhaustion)
## Affected Systems
- Products: Palo Alto Networks PAN-OS, Prisma Access running PAN-OS
- Versions: PAN-OS versions 10.X and 11.X (Specific vulnerable maintenance releases are implied by the provided patches, consult vendor advisories for the full list)
- Configurations: Systems where the Firewall is observing malicious DNS packets through the data plane and have the DNS Security logging feature enabled.
## Vulnerability Description
A denial-of-service vulnerability exists within the DNS Security feature of Palo Alto Networks PAN-OS software. An unauthenticated attacker can send a specially crafted malicious packet through the data plane of the firewall, triggering a condition that causes the firewall to reboot. Repeated attempts can force the firewall into maintenance mode, leading to a sustained denial of service.
## Exploitation
- Status: Known to be abused in production; Palo Alto Networks is aware of customers "experiencing this denial-of-service (DoS)."
- Complexity: Low (Unauthenticated attacker needs network access to send the malicious packet through the data plane).
- Attack Vector: Network
- Impact on Prisma Access: If accessed only by authenticated end users via Prisma Access, the severity drops to CVSS 7.1.
## Impact
- Confidentiality: Unknown/Not the primary impact, but potential service interruption could indirectly impact data access.
- Integrity: Unknown/Not the primary impact, but a crash/reboot affects service integrity.
- Availability: High (Firewall reboots or enters maintenance mode, leading to service outage).
## Remediation
### Patches
Palo Alto Networks has released fixes across several release tracks. Users are advised to update to the latest maintenance release or later:
* **PAN-OS 10.1.x:** 10.1.14-h8, 10.1.15, and later.
* **PAN-OS 10.2.x:** 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14, and later. (Specific versions like 10.2.8-h19, 10.2.9-h19 are also listed for various scenarios/Prisma Access).
* **PAN-OS 11.1.x:** 11.1.5, 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and later.
* **PAN-OS 11.2.x:** 11.2.3, and later.
*Note: PAN-OS 11.0 reached End-of-Life (EOL) on Nov 17, 2024, and does not receive a fix in this advisory.*
### Workarounds
For unmanaged firewalls or those managed by Panorama, customers can mitigate the issue by disabling DNS Security logging for triggering profiles:
1. Navigate to **Objects > Security Profiles > Anti-spyware**.
2. Select an Anti-Spyware profile.
3. Navigate to **DNS Policies > DNS Security**.
4. Set the **Log Severity** to **"none"** for all configured DNS Security categories.
## Detection
- Indicators of Compromise: Firewall unexpected reboots or entering maintenance mode triggered by malicious DNS packets being blocked by the firewall.
- Detection Methods and Tools: While a specific signature isn't detailed, detection would involve monitoring firewall logs corresponding to DNS Security events that precede the device crashing or rebooting. Ensure DNS Security logging is active if not patched.
## References
- Vendor Advisory: security.paloaltonetworks.com/CVE-2024-3393
- News Source: thehackernews.com/2024/12/palo-alto-releases-patch-for-pan-os-dos.html