Tuesday, January 14, 2025
Homecyber securityPalo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

Published on

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto Networks’ PAN-OS software.

This flaw allows unauthenticated attackers to exploit firewalls through specially crafted packets, causing denial-of-service (DoS) conditions.

The issue has been actively exploited, prompting urgent mitigation measures.

Details of the Vulnerability

The vulnerability stems from improper handling of malicious DNS packets within the data plane of affected firewalls.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Attackers can send a specially crafted packet that forces the firewall to reboot. Repeated exploitation can push the firewall into maintenance mode, rendering it non-operational.

This issue is classified as high severity with a CVSS score of 8.7, highlighting its significant impact on system availability.

Key characteristics of the vulnerability include:

  • Attack Vector: Network-based
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None

The flaw affects specific versions of PAN-OS, including versions below 11.2.3, 11.1.5, and certain maintenance releases of 10.1 and 10.2.

Impact and Exploitation

The vulnerability has been observed in production environments where DNS Security logging is enabled.

Exploitation results in service disruptions, particularly for organizations relying on Palo Alto Networks’ firewalls for critical network security operations.

While confidentiality and integrity are unaffected, availability is significantly compromised.

Palo Alto Networks has confirmed that customers have experienced DoS attacks triggered by this issue.

The weakness is categorized under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-540 (Overread Buffers).

Mitigation and Fixes

Palo Alto Networks has released patches to address the vulnerability in the following PAN-OS versions:

  • PAN-OS 11.2: Fixed in version 11.2.3
  • PAN-OS 11.1: Fixed in version 11.1.5
  • PAN-OS 10.2: Fixed in versions 10.2.10-h12 and 10.2.13-h2
  • PAN-OS 10.1: Fixed in version 10.1.14-h8

For Prisma Access customers, upgrades will be rolled out in phases on January 3rd and January 10th, 2025. Customers can expedite upgrades by submitting support cases.

As an immediate workaround, administrators can disable DNS Security logging by navigating to Anti-spyware profiles and setting DNS Security log severity to “none.”

This temporary measure should be reverted once fixes are applied.

Organizations are urged to update affected systems promptly or implement recommended mitigations to prevent service disruptions caused by this vulnerability.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...