Overview
Palo Alto Networks has recently released a patch to address a critical Denial of Service (DoS) vulnerability in its PAN-OS software. The vulnerability, identified as CVE-2024-3393, allows unauthenticated attackers to send a specially crafted packet through the firewall’s data plane, causing the device to reboot and potentially enter maintenance mode. This issue primarily affects devices with DNS Security logging enabled.
CVE Number:
- CVE-2024-3393
Severity:
- CVSS Score: 8.7 (High)
- Exploitation Status: Actively exploited in the wild.
Impact:
- Firewall Reboots: The vulnerability can cause the firewall to reboot, disrupting network security.
- Maintenance Mode: Repeated exploitation can force the device into maintenance mode, requiring manual intervention.
- Affected Versions: PAN-OS versions prior to 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3 are vulnerable.
Remediation:
- Patch Installation: Apply the patch in PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and later versions.
- Workarounds: For devices unable to update immediately, disable DNS Security logging or change the Log Severity to “none” for DNS Security categories.
Conclusion:
Palo Alto Networks has taken swift action to address the CVE-2024-3393 vulnerability, ensuring that affected devices can be secured with the latest patch. It is crucial for organizations using PAN-OS to apply the patch promptly to mitigate the risk of DoS attacks and maintain network security. By staying vigilant and applying necessary updates, businesses can protect their infrastructure from potential threats.