The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding a newly discovered vulnerability in Palo Alto Networks’ PAN-OS versions. This addition reflects evidence of active exploitation, marking it as a critical risk to federal enterprises and beyond.
The vulnerability, identified as CVE-2024-3393, is classified as a Denial of Service (DoS) issue in the DNS Security feature of PAN-OS. This flaw could allow unauthenticated attackers to disrupt firewall operations, causing them to reboot repeatedly and potentially enter maintenance mode if the attack is sustained.
What Is the Vulnerability?
The vulnerability lies in the way PAN-OS processes malformed DNS packets. When a maliciously crafted packet is sent through the firewall’s data plane, it triggers a failure that forces the system to reboot. Repeated exploitation could render the firewall non-functional, thereby compromising network security.
The issue is particularly concerning for organizations using PA-Series, VM-Series, CN-Series firewalls, or Prisma Access solutions. This vulnerability affects specific versions of PAN-OS with DNS Security or Advanced DNS Security licenses enabled and DNS Security logging turned on.
Affected PAN-OS Versions
- PAN-OS 11.2: Versions below 11.2.3
- PAN-OS 11.1: Versions below 11.1.5
- PAN-OS 10.2: Versions between 10.2.8 and 10.2.14
- PAN-OS 10.1: Versions between 10.1.14 and 10.1.15
However, older PAN-OS versions such as 9.1 and 10.0, as well as Panorama M-Series and Panorama virtual appliances, remain unaffected.
Severity and Exploitation Status
This vulnerability is rated as High Severity, with a CVSS score of 8.7 for unauthenticated scenarios. The attack requires no user interaction, making it particularly dangerous in environments where network firewalls process untrusted DNS packets.
Palo Alto Networks has confirmed cases of active exploitation, where customers reported firewall disruptions caused by malicious DNS packets triggering the vulnerability.
Mitigation Measures
While Palo Alto Networks has released patches to address the issue, organizations that cannot immediately upgrade can apply the following workarounds:
- Security Profile Adjustments: Clone predefined Anti-Spyware profiles (e.g., “Default” or “Strict”) in the Security Policy and replace them with custom profiles.
- Tuning DNS Security Settings: Disable DNS Security logging temporarily if operationally feasible.
- Regular Monitoring: Continuously monitor for unusual firewall behavior, such as unexpected reboots.
These measures provide interim protection until a permanent fix is implemented.
Permanent Fixes Available
To fully mitigate the vulnerability, affected systems should upgrade to the following PAN-OS versions:
- PAN-OS 11.2.3 or later
- PAN-OS 11.1.5 or later
- PAN-OS 10.2.14 or later (ETA: January 2025)
- PAN-OS 10.1.15 or later (ETA: January 2025)
Palo Alto Networks has also released fixes for specific maintenance releases of PAN-OS to accommodate different deployment needs.
Understanding the Technical Impact
This DoS vulnerability compromises system availability by crashing or restarting the firewall. Improper exception handling and insufficient validation of DNS packets contribute to the flaw, categorized under:
- CWE-754: Improper Check for Unusual or Exceptional Conditions
- CAPEC-540: Overread Buffers
The consequences of this vulnerability extend beyond simple reboots. Attackers exploiting it could gain insights into system behavior, potentially refining their attacks to target other weaknesses.
How Organizations Can Protect Themselves
To address this vulnerability, organizations should consider both technical and procedural defenses:
- Upgrade Immediately: Ensure systems are running fixed PAN-OS versions.
- Enhance Error Handling: Developers should adopt exception-handling mechanisms to prevent cascading failures.
- Validate Inputs: Implement strict input validation to minimize the risk of processing malformed packets.
- Monitor Logs: Regularly audit log files for suspicious activity while ensuring sensitive details are not exposed.
- Fail Gracefully: Design systems to handle failures without exposing internal states to attackers.
Broader Implications
This vulnerability highlights the ongoing challenge of securing critical systems against sophisticated cyber threats. Attackers often exploit flaws in widely used technologies like PAN-OS, targeting organizations that rely heavily on them for network defense.
For federal enterprises, the risks are even higher due to the sensitive nature of their operations. CISA’s proactive inclusion of such vulnerabilities in its KEV Catalog highlights the need for timely updates and vigilant security practices.
Closing Thoughts
Organizations using Palo Alto Networks’ solutions must act swiftly to mitigate this vulnerability, whether by applying patches or deploying workarounds.
By adopting strong security practices and staying informed about emerging threats, businesses can better protect their networks and maintain operational resilience in the face of increasing cyber risks.
