Clement Brako Akomea Table of Contents
A new critical issue, PAN-OS DoS vulnerability CVE-2024-3393, has been uncovered, affecting Palo Alto Networks’ PAN-OS software.
This high-severity flaw can lead to denial-of-service (DoS) attacks, allowing attackers to disrupt firewall operations by exploiting the DNS Security feature.
Palo Alto Networks urges users to apply the latest patches immediately to safeguard their systems. If your organization relies on PAN-OS, this patch is a must.
Key Takeaway: PAN-OS DoS Vulnerability CVE-2024-3393
- Unpatched PAN-OS devices remain at risk of critical DNS Security exploits, potentially leading to system downtime and security breaches.
Understanding the PAN-OS DoS Vulnerability CVE-2024-3393
What Is CVE-2024-3393?
CVE-2024-3393 is a vulnerability in the DNS Security feature of PAN-OS, allowing unauthenticated attackers to send malicious packets.
These packets can cause a firewall to reboot repeatedly, rendering it ineffective and forcing it into maintenance mode.
Affected PAN-OS Versions
This vulnerability impacts the following versions:
| PAN-OS Version | Status | Fixed in Version |
|---|---|---|
| 10.1.x | Vulnerable | 10.1.14-h8, 10.1.15 |
| 10.2.x | Vulnerable | 10.2.10-h12, 10.2.14 |
| 11.1.x | Vulnerable | 11.1.5 |
| 11.2.x | Vulnerable | 11.2.3 |
It’s worth noting that PAN-OS 11.0 has reached its end-of-life and no longer receives updates.
How Does CVE-2024-3393 Work?
When a malicious DNS packet is sent to a firewall with DNS Security enabled, the device is forced to reboot. Repeated attacks can keep the system in maintenance mode, disrupting services.
This makes the vulnerability particularly dangerous for organizations that rely heavily on firewalls to secure their networks.
Palo Alto Networks acknowledged discovering the issue in production and confirmed reports of customers experiencing real-world exploits.
This vulnerability’s risk drops to a CVSS score of 7.1 if authenticated user access is required, as in Prisma Access deployments.
The Fix: Patching PAN-OS
Palo Alto Networks has released patches addressing the issue. Users should update their systems to the following versions immediately:
| Version Family | Updated Version |
|---|---|
| PAN-OS 10.1.x | 10.1.14-h8, 10.1.15 |
| PAN-OS 10.2.x | 10.2.10-h12, 10.2.14 |
| PAN-OS 11.1.x | 11.1.5 |
| PAN-OS 11.2.x | 11.2.3 |
For Prisma Access tenants, ensure your system is running the latest supported version to mitigate risks.
Workarounds and Mitigation Options
For organizations unable to apply patches immediately, Palo Alto Networks recommends temporary workarounds:
- Disable DNS Security Logging:
Navigate to Objects > Security Profiles > Anti-Spyware. For each profile, set DNS Security log severity to “none.” - Open a Support Case:
Prisma Access tenants can request Palo Alto support to disable logging until updates are completed.
While these steps provide temporary relief, patching remains the most effective solution.
Real-World Impact and Lessons Learned
This scenario is reminiscent of the 2019 EternalBlue exploit, where outdated systems were targeted globally, causing widespread ransomware attacks.
Like then, this issue highlights the importance of timely patching and proactive cybersecurity measures.
What’s Next for Palo Alto Users?
As cyber threats evolve, vulnerabilities like PAN-OS DoS vulnerability CVE-2024-3393 are likely to persist. Future trends suggest attackers will continue targeting firewall vulnerabilities to gain access to enterprise networks.
To stay ahead:
- Regularly audit your systems for vulnerabilities.
- Ensure all software is up-to-date.
- Engage with cybersecurity experts to reinforce network defenses.
About Palo Alto Networks
Palo Alto Networks is a global leader in cybersecurity, providing cutting-edge solutions like PAN-OS, Prisma Access, and Cortex to secure enterprise systems against evolving threats.
Rounding Up
The PAN-OS DoS vulnerability CVE-2024-3393 underscores the need for vigilance in cybersecurity.
Keeping your systems updated and employing recommended workarounds can help protect your organization. Stay proactive and informed to ensure your network remains secure.
FAQs
What is PAN-OS DoS vulnerability CVE-2024-3393?
- It is a flaw in the DNS Security feature of PAN-OS software that allows attackers to reboot firewalls and disrupt services.
Which PAN-OS versions are vulnerable?
- PAN-OS versions 10.x and 11.x are affected, excluding patched versions listed in this article.
How do I protect my system from this vulnerability?
- Update to the latest PAN-OS version immediately or apply the recommended workarounds until an update is possible.
What are the risks if I don’t update?
- Your firewalls may be targeted, leading to downtime, service disruption, or potential data breaches.
Where can I find more information?
- Visit the official Palo Alto Networks advisory page for detailed guidance.
