A high-severity Denial-of-Service (DoS) vulnerability, tracked as CVE-2024-3393, has been discovered in the DNS Security feature of Palo Alto Networks PAN-OS.
This flaw allows unauthenticated attackers to send specially crafted packets that can crash firewalls and potentially disrupt operations. Organizations using affected versions should act promptly to mitigate the risk.
Vulnerability Details and Impact
The vulnerability arises when a malicious packet is processed through the firewall’s data plane, causing the system to reboot. Repeated exploitation could force the firewall into maintenance mode, significantly impacting availability.
The issue has a CVSS score of 8.7 (HIGH), with an attack complexity rated as low and no authentication required.
Key characteristics of the vulnerability include:
- Attack Vector: Network-based
- Privileges Required: None
- User Interaction: None
- Impact: High on availability; no effect on confidentiality or integrity.
Palo Alto Networks has confirmed exploitation in production environments, emphasizing the urgency for remediation.
Affected Products and Versions
The vulnerability impacts multiple versions of PAN-OS when DNS Security logging is enabled. Affected versions include:
- PAN-OS 11.2: Below 11.2.3
- PAN-OS 11.1: Below 11.1.5
- PAN-OS 10.2: Below 10.2.10-h12 and 10.2.13-h2
- PAN-OS 10.1: Below 10.1.14-h8
- Prisma Access: Affected when running vulnerable PAN-OS versions.
Cloud NGFW products are not impacted.
Mitigation and Fixes
Palo Alto Networks has released patches to address the issue in the following versions:
- PAN-OS 10.1.14-h8 and later
- PAN-OS 10.2.10-h12, 10.2.13-h2 (ETA: December 31), and later
- PAN-OS 11.1.5 and later
- PAN-OS 11.2.3 and later
For Prisma Access customers, upgrades will be rolled out on January 3rd and January 10th, with expedited updates available upon request.
Administrators unable to immediately apply fixes can implement temporary mitigations by disabling DNS Security logging:
- Navigate to Objects → Security Profiles → Anti-spyware → DNS Policies.
- Set “Log Severity” to “none” for all DNS Security categories.
- Commit changes and revert settings after applying updates.
This vulnerability underscores the need for proactive patch management to maintain firewall integrity and prevent service disruptions in critical network environments.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=A high-severity DoS vulnerability, tracked as CVE-2024-3393, has been discovered in the DNS Security feature of Palo Alto Networks PAN-OS.){kind=link}