WNE Security News

Read more about “CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability” and the most important cybersecurity news to stay up to date with

CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability

Cybersecurity Service Provider

WNE Security Publisher

1/3/2025

(Critical) Base Score:

Vendors Mitigation Instructions

9.1

CVE-2024-23917 TeamCity On-Premises Vulnerability

Learn about CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability and other newly exploited vulnerabilities and new best practices by subscribing to our newsletter.

CVE-2024-3393: Critical Denial of Service Vulnerability in Palo Alto Networks PAN-OS

CVE-2024-3393 is a high-severity Denial of Service (DoS) vulnerability identified in the DNS Security feature of Palo Alto Networks’ PAN-OS software. This flaw allows an unauthenticated attacker to send a specially crafted packet through the firewall’s data plane, causing the device to reboot. Repeated exploitation can force the firewall into maintenance mode, significantly disrupting network security operations.

What is Vulnerable to CVE-2024-3393

The vulnerability affects multiple versions of PAN-OS across various Palo Alto Networks firewall models, including PA-Series, VM-Series, CN-Series, and Prisma Access. Specifically, systems are vulnerable if both of the following conditions are met:

  1. DNS Security License Applied: Either a DNS Security License or an Advanced DNS Security License is active.

  2. DNS Security Logging Enabled: DNS Security logging is turned on.

The affected PAN-OS versions include:

  • PAN-OS 11.2: Versions prior to 11.2.3

  • PAN-OS 11.1: Versions prior to 11.1.5

  • PAN-OS 10.2: Versions between 10.2.8 and 10.2.14 (exclusive)

  • PAN-OS 10.1: Versions between 10.1.14 and 10.1.15 (exclusive)

It’s important to note that PAN-OS 11.0 has reached its end-of-life and will not receive a patch for this vulnerability.

Mitigation and Remediation for CVE-2024-3393

To address this vulnerability, Palo Alto Networks has released updates for the affected PAN-OS versions. Administrators are strongly advised to upgrade to the following fixed versions:

  • PAN-OS 11.2: Upgrade to version 11.2.3 or later.

  • PAN-OS 11.1: Upgrade to version 11.1.5 or later.

  • PAN-OS 10.2: Upgrade to version 10.2.14 or later.

  • PAN-OS 10.1: Upgrade to version 10.1.15 or later.

For environments where immediate upgrading is not feasible, a temporary mitigation involves disabling DNS Security logging:

  1. Navigate to Objects > Security Profiles > Anti-Spyware > DNS Policies.

  2. Set the Log Severity to none for all DNS Security categories.

However, this workaround may reduce visibility into DNS-related threats and should only be used as a short-term measure until the system can be fully patched.

Impact of Successful Exploitation of CVE-2024-3393

Exploiting this vulnerability can have significant consequences:

  • Firewall Reboot: An attacker can cause the firewall to reboot by sending a malicious packet, leading to temporary loss of network protection.

  • Maintenance Mode: Repeated attacks can force the firewall into maintenance mode, requiring manual intervention to restore normal operations.

  • Service Disruption: Continuous exploitation can result in prolonged network downtime, leaving the organization vulnerable to other attacks during the outage.

Given the active exploitation of this vulnerability in the wild, as reported by Palo Alto Networks, it is crucial to apply the recommended updates promptly to maintain network security.

Proof of Concept for CVE-2024-3393

As of now, no public proof-of-concept (PoC) exploit code for CVE-2024-3393 has been released. Due to the critical nature of this vulnerability and its active exploitation, sharing PoC code could further endanger unpatched systems. Security researchers and organizations are advised to focus on remediation and adhere to responsible disclosure practices to prevent facilitating malicious exploitation.

In conclusion, CVE-2024-3393 presents a serious threat to organizations utilizing affected versions of Palo Alto Networks’ PAN-OS with DNS Security features enabled. Immediate action through system upgrades or temporary mitigations is essential to protect network infrastructure from potential denial-of-service attacks.

Subscribe Today

We don’t spam! Read our privacy policy for more info.

Learn more about WNE Security products and services that can help keep you cyber safe.

Learn about CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability and other vulnerabilities and best practices by subscribing to our newsletter.


Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability”  by clicking the links below

Check Out Some Other Articles

Learn How To Secure A Work From Home Environment by implementing VPN, Drawing Boundaries for Work Devices, Securing Routers, Limit Data Access/least …

Google Chrome Security Settings for the most Secure Google Chrome Browser starts with enabling automatic updates, Safe Browsing, security extension/extension…

Ransomware is more than just a headline—it’s a rising threat. Learn about its mechanics, its consequences, and why staying informed is your best defense.