Palo Alto Fixes CVE-2024-3393 DNS Security Vulnerability in PAN-OS
![PALOALTO](https://www.techprovidence.com/wp-content/uploads/2024/12/freepik__candid-image-photography-natural-textures-highly-r__88155-768x525.jpeg)
Palo Alto Networks has disclosed a high-severity vulnerability, tracked as CVE-2024-3393, that impacts its PAN-OS software. This flaw, carrying a CVSS score of 8.7, could lead to a denial-of-service (DoS) condition on affected devices, potentially disrupting critical operations.
Affected Versions
The vulnerability affects the following PAN-OS versions:
PAN-OS 10.X and 11.X
Prisma Access running PAN-OS versions 10.2.8 and later or prior to 11.2.3
Palo Alto Networks has released updates to address the issue in the following versions:
PAN-OS 10.1.14-h8
PAN-OS 10.2.10-h12
PAN-OS 11.1.5
PAN-OS 11.2.3
All later PAN-OS versions
Nature of the Vulnerability
According to Palo Alto Networks, the issue lies in the DNS Security feature of PAN-OS. An unauthenticated attacker can exploit this vulnerability by sending malicious packets through the firewall’s data plane. This action could force the firewall to reboot, repeatedly triggering the condition and ultimately causing the firewall to enter maintenance mode.
The company confirmed discovering the flaw in production use and has acknowledged instances of exploitation in the wild. Affected firewalls include those with DNS Security logging enabled.
Workarounds and Mitigations
For customers unable to immediately apply the fixes, Palo Alto Networks recommends the following mitigations:
Unmanaged Firewalls or Panorama-managed Firewalls: Set the Log Severity to “none” for all DNS Security categories in the Anti-Spyware profile. Navigate to:
Objects > Security Profiles > Anti-Spyware > (select a profile) > DNS Policies > DNS Security.Firewalls Managed by Strata Cloud Manager (SCM): Disable DNS Security logging on individual devices or across all managed devices by opening a support case.
Prisma Access Tenants: Open a support case to disable logging until an upgrade is performed.
Fixes for Other Maintenance Releases
Palo Alto Networks has extended the fixes to commonly deployed maintenance releases, including:
PAN-OS 11.1 (11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and 11.1.5)
PAN-OS 10.2 (10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, and 10.2.14)
PAN-OS 10.1 (10.1.14-h8 and 10.1.15)
PAN-OS 10.2.9-h19 and 10.2.10-h12 (for Prisma Access)
It’s worth noting that PAN-OS 11.0 has reached end-of-life status as of November 17, 2024, and no fixes are available for it.
Protecting Your Environment
Palo Alto Networks encourages all affected users to apply the recommended updates or mitigations as soon as possible to protect their environments. The proactive release of this advisory aims to ensure transparency and equip users with the information needed to mitigate potential risks.
For more details and to download the necessary updates, visit Palo Alto Networks’ official advisory.
Click below and ‘share’ this article!