CVE-2024-3393: Critical PAN-OS Firewall Vulnerability

CVE-2024-3393 is a critical vulnerability in Palo Alto Networks’ PAN-OS software, impacting firewalls with the DNS Security feature enabled. This flaw allows an unauthenticated attacker to send specially crafted packets through the firewall’s data plane, forcing it to reboot. Repeated exploitation can lead to a Denial-of-Service (DoS) condition, rendering the firewall inoperable. Given its severity and active exploitation, organizations must take immediate action to mitigate the risks associated with this vulnerability.

Understanding CVE-2024-3393

• Vulnerability Type: Denial-of-Service (DoS)
• Affected Product: PAN-OS (Palo Alto Networks’ firewall operating system)
• Exploitation: Unauthenticated attacker sends crafted DNS packets
• Impact: Firewall reboot, potential maintenance mode lockout
• CVSS Score: 8.7 (High Severity)

This vulnerability is particularly dangerous because it can be exploited remotely without authentication, making any exposed firewall with vulnerable configurations a potential target.

Affected PAN-OS Versions

The following versions are vulnerable if DNS Security logging is enabled:

• PAN-OS 11.2: Versions prior to 11.2.3
• PAN-OS 11.1: Versions prior to 11.1.5
• PAN-OS 10.2: Versions 10.2.8 to before 10.2.14
• PAN-OS 10.1: Versions 10.1.14 to before 10.1.15
• Prisma Access: Versions 10.2.8 and later, but before 11.2.3

For more information on CVE-2024-3393, visit the CVE Details page.

Only systems with a DNS Security License (standard or advanced) and DNS Security logging enabled are vulnerable.

Understanding the Exploitation of CVE-2024-3393

Attackers can exploit CVE-2024-3393 by sending a maliciously crafted DNS packet to the affected firewall. Upon processing this packet, the firewall’s data plane crashes, triggering an automatic reboot. If repeatedly attacked, the firewall can enter maintenance mode, causing prolonged downtime and service disruption.

Mitigation Steps

Immediate Fix: Upgrade PAN-OS

Organizations should upgrade to the latest fixed versions:

• PAN-OS 11.2.3 or later
• PAN-OS 11.1.5 or later
• PAN-OS 10.2.14 or later
• PAN-OS 10.1.15 or later

Temporary Workaround

If an upgrade is not immediately feasible, disabling DNS Security logging can mitigate the risk:

1. Log in to the PAN-OS Web Interface
2. Navigate to Objects > Security Profiles > Anti-Spyware
3. Select the active security profile
4. Go to DNS Policies > DNS Security
5. Set Log Severity to ‘None’` for all categories
6. Commit the changes

Note: This is a temporary measure, and logging should be re-enabled once the firewall is updated.

How to Detect if Your System Has Been Targeted

Indicators of Compromise (IoCs)

• Unexpected firewall reboots
• Logs showing abnormal DNS traffic patterns
• Devices entering maintenance mode unexpectedly

Administrators should analyze their logs for suspicious DNS requests and monitor firewall uptime to detect potential attacks.

Best Practices for Network Security

To enhance overall security and mitigate similar threats in the future:

• Apply security patches promptly
• Limit exposure of firewall management interfaces to the internet
• Deploy Intrusion Prevention Systems (IPS) to detect and block malicious DNS traffic
• Regularly review and update security policies
• Conduct penetration testing to assess firewall resilience

Conclusion

CVE-2024-3393 is a significant security risk that can lead to firewall downtime and network outages. Given its active exploitation, organizations must prioritize upgrading their PAN-OS to patched versions or implement temporary mitigations immediately. Continuous monitoring and adherence to cybersecurity best practices will help minimize the risk of future threats. For more information, stay updated with the latest patches and security advisories from Palo Alto Networks.

Frequently Asked Questions (FAQs)