Skip to main content

Palo Alto Networks Releases Security Update for PAN-OS

Exploitation of CVE-2024-3393 has been reported and could lead to a denial-of-service condition on PAN-OS firewalls

Threat ID:
CC-4597
Threat Severity:
Medium
Published:
27 December 2024 11:36 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Exploitation of CVE-2024-3393 has been reported and could lead to a denial-of-service condition on PAN-OS firewalls

Threat details

Exploitation of CVE-2024-3393 reported

Palo Alto Networks is aware of customers experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger CVE-2024-3393.

Introduction

Palo Alto Networks has issued a security bulletin for a high severity denial-of-service (DoS) vulnerability affecting the DNS Security feature of the PAN-OS next-generation firewall (NGFW). DNS Security logging must be enabled for this issue to affect PAN-OS software. DNS Security is an optional add-on subscription that provides a comprehensive security solution to protect against DNS-based threats on PAN-OS devices.  

CVE-2024-3393 has a maximum CVSSv4 score of 8.7, which if exploited could allow an unauthenticated attacker to send a malicious packet to the PAN-OS firewall, causing the firewall to reboot upon processing the packet. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Remediation advice

Affected organisations are encouraged to review the Palo Alto Networks security advisory CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet and apply the relevant updates as soon as practicable.

If a firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and a fix cannot immediately be applied, organisations should apply a workaround below based on the deployment.

Note: Updates for Prisma Access will be deployed by Palo Alto in two phases on the weekends of January 3rd 2025 and January 10th 2025. Prisma Access customers should apply one of the workarounds detailed below until then.

Remediation steps

Type Step
Patch

This issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.

Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so Palo Alto does not intend to provide a fix for this release.

Palo Alto has additionally made fixes available for other TAC-preferred and commonly deployed maintenance releases. Please review the Palo Alto advisory for full details.


https://security.paloaltonetworks.com/CVE-2024-3393
Action

Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama

  1. For each Anti-spyware profile, navigate to Objects → Security Profiles → Anti-spyware → (select a profile) → DNS Policies → DNS Security.
  2. Change the Log Severity to 'none' for all configured DNS security categories.
  3. Commit the changes.

Palo Alto additionally advise reverting the Log Severity settings described above once the security patches are applied.


https://security.paloaltonetworks.com/CVE-2024-3393
Action

NGFW managed by Strata Cloud Manager (SCM)

Affected organisations can choose one of the following mitigation options:

  1. Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.
  2. Option 2: Disable DNS Security logging across all NGFWs in the tenant by opening a support case.

https://security.paloaltonetworks.com/CVE-2024-3393
Action

Prisma Access managed by Strata Cloud Manager (SCM)

Until Palo Alto performs an upgrade of an affected Prisma Access tenant, organisations can disable DNS Security logging across all NGFWs in the tenant by opening a support case. To expedite the upgrade, please make a note in the support case.


https://security.paloaltonetworks.com/CVE-2024-3393

Definitive source of threat updates

Last edited: 27 December 2024 11:36 am