Sign in Subscribe
Vulnerability Exploits

Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately

Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately

Latest News on Palo Alto PAN-OS DoS Vulnerability CVE-2024-3393

Summary:
A critical Denial of Service (DoS) vulnerability, tracked as CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto Networks' PAN-OS software. This vulnerability allows an unauthenticated attacker to send a malicious packet that reboots the firewall, potentially causing it to enter maintenance mode with repeated attempts135.

Affected Versions and Impact

  • PAN-OS 11.2: Versions below 11.2.3 are affected3.
  • PAN-OS 11.1: Versions below 11.1.5 are affected3.
  • PAN-OS 10.2: Versions between 10.2.8 and 10.2.10-h12, and between 10.2.8 and 10.2.13-h2, are affected3.
  • PAN-OS 10.1: Versions between 10.1.14 and 10.1.14-h8 are affected3.
  • Prisma Access: Versions using DNS Security with affected PAN-OS versions are impacted13.

Mitigation and Update Instructions

  1. Apply Updates:

    • The issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions13.

  2. Workarounds for Unmanaged NGFWs, NGFW Managed by Panorama, or Prisma Access Managed by Panorama:

    • For each Anti-spyware profile, navigate to Objects → Security Profiles → Anti-spyware → (select a profile) → DNS Policies → DNS Security.
    • Change the Log Severity to "none" for all configured DNS Security categories.
    • Commit the changes. Remember to revert the Log Severity settings once the fixes are applied1.

  3. Workarounds for NGFW Managed by Strata Cloud Manager (SCM):

    • Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.
    • Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case1.

  4. Prisma Access Managed by Strata Cloud Manager (SCM):

    • Apply one of the workarounds provided above or request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case1.

  5. Upgrade Schedule:

    • Prisma Access customers will have upgrades performed in two phases on the weekends of January 3rd and January 10th1.

Additional Fixes

  • PAN-OS 11.1 Fixes: 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and 11.1.51.
  • PAN-OS 10.2 Fixes: 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, and 10.2.13-h21.
  • PAN-OS 10.1 Fixes: 10.1.14-h8 and 10.1.151.

Conclusion

The CVE-2024-3393 vulnerability in PAN-OS requires immediate attention, especially for those using affected versions. Applying the latest updates or following the provided workarounds is crucial to mitigate the risk of a DoS attack disrupting firewall operations and forcing them into maintenance mode.

Read next