CVE-2024-3393: PAN-OS Vulnerability Now Exploited in the Wild

Palo Alto Networks has issued a security advisory concerning a critical vulnerability in the DNS Security feature of its PAN-OS software. Tracked as CVE-2024-3393, this flaw carries a CVSS score of 8.7 and has been categorized as a high-severity issue. Exploitation of the vulnerability could allow an unauthenticated attacker to disrupt firewall operations and force them into maintenance mode.

According to the advisory, the vulnerability arises when a specially crafted malicious packet is sent through the firewall’s data plane. This triggers a condition that causes the firewall to reboot, leading to a denial-of-service (DoS) state. Palo Alto Networks explained, “Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.”

The vulnerability affects specific versions of PAN-OS:

• PAN-OS 11.2: Affected versions are below 11.2.3.
• PAN-OS 11.1: Affected versions are below 11.1.5.
• PAN-OS 10.2: Affected versions are below 10.2.10-h12 or 10.2.13-h2.
• PAN-OS 10.1: Affected versions are below 10.1.14-h8.

Notably, PAN-OS 11.0 has reached its end of life (EOL) and will not receive a fix.

Palo Alto Networks has confirmed cases where customers experienced a DoS condition when their firewalls blocked malicious DNS packets that exploited this issue. However, the company has not disclosed specific details about the extent of exploitation or the attackers involved.

The CVE-2024-3393 vulnerability is addressed in the following PAN-OS versions:

• PAN-OS 11.2.3
• PAN-OS 11.1.5
• PAN-OS 10.2.10-h12
• PAN-OS 10.2.13-h2
• PAN-OS 10.1.14-h8

The advisory urges customers to upgrade their systems to these versions or later to mitigate the risk. For Prisma Access customers, upgrades will be conducted in phases, with expedited upgrades available upon request.

For organizations unable to apply the fixes immediately, Palo Alto Networks recommends disabling DNS Security logging. This can be achieved by navigating to Objects → Security Profiles → Anti-spyware → DNS Policies → DNS Security and changing the Log Severity to “none” for all categories. However, the advisory emphasizes that these settings should be reverted once the fixes are applied to restore full functionality.

Palo Alto Networks advises, “If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround.”

Related Posts:

• Palo Alto Networks Investigates Potential Remote Code Execution Vulnerability in PAN-OS
• Palo Alto Networks Raises Alarm on Firewall Vulnerability Following Active Exploitation
• CISA Warns of Actively Exploited Vulnerabilities in Kemp LoadMaster and Palo Alto Networks PAN-OS
• PAN-OS arbitrary code execution vulnerability