Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto Networks’ PAN-OS software.

This flaw allows unauthenticated attackers to exploit firewalls through specially crafted packets, causing denial-of-service (DoS) conditions.

The issue has been actively exploited, prompting urgent mitigation measures.

Details of the Vulnerability

The vulnerability stems from improper handling of malicious DNS packets within the data plane of affected firewalls.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Attackers can send a specially crafted packet that forces the firewall to reboot. Repeated exploitation can push the firewall into maintenance mode, rendering it non-operational.

This issue is classified as high severity with a CVSS score of 8.7, highlighting its significant impact on system availability.

Key characteristics of the vulnerability include:

• Attack Vector: Network-based
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None

The flaw affects specific versions of PAN-OS, including versions below 11.2.3, 11.1.5, and certain maintenance releases of 10.1 and 10.2.

Impact and Exploitation

The vulnerability has been observed in production environments where DNS Security logging is enabled.

Exploitation results in service disruptions, particularly for organizations relying on Palo Alto Networks’ firewalls for critical network security operations.

While confidentiality and integrity are unaffected, availability is significantly compromised.

Palo Alto Networks has confirmed that customers have experienced DoS attacks triggered by this issue.

The weakness is categorized under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-540 (Overread Buffers).

Mitigation and Fixes

Palo Alto Networks has released patches to address the vulnerability in the following PAN-OS versions:

• PAN-OS 11.2: Fixed in version 11.2.3
• PAN-OS 11.1: Fixed in version 11.1.5
• PAN-OS 10.2: Fixed in versions 10.2.10-h12 and 10.2.13-h2
• PAN-OS 10.1: Fixed in version 10.1.14-h8

For Prisma Access customers, upgrades will be rolled out in phases on January 3rd and January 10th, 2025. Customers can expedite upgrades by submitting support cases.

As an immediate workaround, administrators can disable DNS Security logging by navigating to Anti-spyware profiles and setting DNS Security log severity to “none.”

This temporary measure should be reverted once fixes are applied.

Organizations are urged to update affected systems promptly or implement recommended mitigations to prevent service disruptions caused by this vulnerability.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free