WNE Security News
Read more about “CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability” and the most important cybersecurity news to stay up to date with
CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability
WNE Security Publisher
1/3/2025
(Critical) Base Score:
Vendors Mitigation Instructions
9.1
Learn about CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability and other newly exploited vulnerabilities and new best practices by subscribing to our newsletter.
CVE-2024-3393: Critical Denial of Service Vulnerability in Palo Alto Networks PAN-OS
CVE-2024-3393 is a high-severity Denial of Service (DoS) vulnerability identified in the DNS Security feature of Palo Alto Networks’ PAN-OS software. This flaw allows an unauthenticated attacker to send a specially crafted packet through the firewall’s data plane, causing the device to reboot. Repeated exploitation can force the firewall into maintenance mode, significantly disrupting network security operations.
What is Vulnerable to CVE-2024-3393
The vulnerability affects multiple versions of PAN-OS across various Palo Alto Networks firewall models, including PA-Series, VM-Series, CN-Series, and Prisma Access. Specifically, systems are vulnerable if both of the following conditions are met:
DNS Security License Applied: Either a DNS Security License or an Advanced DNS Security License is active.
DNS Security Logging Enabled: DNS Security logging is turned on.
The affected PAN-OS versions include:
PAN-OS 11.2: Versions prior to 11.2.3
PAN-OS 11.1: Versions prior to 11.1.5
PAN-OS 10.2: Versions between 10.2.8 and 10.2.14 (exclusive)
PAN-OS 10.1: Versions between 10.1.14 and 10.1.15 (exclusive)
It’s important to note that PAN-OS 11.0 has reached its end-of-life and will not receive a patch for this vulnerability.
Mitigation and Remediation for CVE-2024-3393
To address this vulnerability, Palo Alto Networks has released updates for the affected PAN-OS versions. Administrators are strongly advised to upgrade to the following fixed versions:
PAN-OS 11.2: Upgrade to version 11.2.3 or later.
PAN-OS 11.1: Upgrade to version 11.1.5 or later.
PAN-OS 10.2: Upgrade to version 10.2.14 or later.
PAN-OS 10.1: Upgrade to version 10.1.15 or later.
For environments where immediate upgrading is not feasible, a temporary mitigation involves disabling DNS Security logging:
Navigate to Objects > Security Profiles > Anti-Spyware > DNS Policies.
Set the Log Severity to none for all DNS Security categories.
However, this workaround may reduce visibility into DNS-related threats and should only be used as a short-term measure until the system can be fully patched.
Impact of Successful Exploitation of CVE-2024-3393
Exploiting this vulnerability can have significant consequences:
Firewall Reboot: An attacker can cause the firewall to reboot by sending a malicious packet, leading to temporary loss of network protection.
Maintenance Mode: Repeated attacks can force the firewall into maintenance mode, requiring manual intervention to restore normal operations.
Service Disruption: Continuous exploitation can result in prolonged network downtime, leaving the organization vulnerable to other attacks during the outage.
Given the active exploitation of this vulnerability in the wild, as reported by Palo Alto Networks, it is crucial to apply the recommended updates promptly to maintain network security.
Proof of Concept for CVE-2024-3393
As of now, no public proof-of-concept (PoC) exploit code for CVE-2024-3393 has been released. Due to the critical nature of this vulnerability and its active exploitation, sharing PoC code could further endanger unpatched systems. Security researchers and organizations are advised to focus on remediation and adhere to responsible disclosure practices to prevent facilitating malicious exploitation.
In conclusion, CVE-2024-3393 presents a serious threat to organizations utilizing affected versions of Palo Alto Networks’ PAN-OS with DNS Security features enabled. Immediate action through system upgrades or temporary mitigations is essential to protect network infrastructure from potential denial-of-service attacks.
Learn more about WNE Security products and services that can help keep you cyber safe.
Learn about CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability and other vulnerabilities and best practices by subscribing to our newsletter.
Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “CVE-2024-3393 Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability” by clicking the links below