Palo Alto Networks has disclosed a high-severity vulnerability affecting PAN-OS software program that might trigger a denial-of-service (DoS) situation on delicate gadgets.
The flaw, tracked as CVE-2024-3393 (CVSS rating: 8.7), impacts PAN-OS variations 10.X and 11.X, in addition to PAN-OS variations 10.2.8 and later or Additionally impacts Prisma Entry operating previous to 11.2. 3. That is addressed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS variations.
“A denial-of-service vulnerability within the DNS safety function of Palo Alto Networks PAN-OS software program permits an unauthenticated attacker to ship a malicious packet via the info aircraft of a firewall that causes the firewall to reboot. ,” the corporate mentioned in an advisory Friday. .
“Repeated makes an attempt to set off this state will trigger the firewall to enter upkeep mode.”
Palo Alto Networks mentioned it found the flaw in manufacturing use, and that prospects “skilled a denial of service (DoS) when their firewall intercepted malicious DNS packets that set off the issue.”
The extent of exercise is at the moment unknown. Hacker Information has reached out to Palo Alto Networks for additional remark, and we’ll replace the story if we hear again.
It is price noting that firewalls which have DNS safety logging enabled are affected by CVE-2024-3393. Moreover, the vulnerability severity drops to a CVSS rating of seven.1 when entry is supplied solely to authenticated customers via Prisma Entry.
The fixes have additionally been prolonged to different generally deployed upkeep releases.
- PAN-OS 11.1 (11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and 11.1.5)
- PAN-OS 10.2 (10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, and 10.2.14)
- PAN-OS 10.1 (10.1.14-h8 and 10.1.15)
- PAN-OS 10.2.9-h19 and 10.2.10-h12 (Relevant to Prisma Entry solely)
- PAN-OS 11.0 (no repair resulting from attain finish of life on November 17, 2024)
As a mitigation for unmanaged firewalls or Panorama-managed operations, customers have the choice to set the logging severity to “none” for every of the configured DNS safety classes for every anti-spyware profile in Object > Safety Profiles > Anti-Spy ware > (Choose Profile) > DNS Insurance policies > DNS Safety.
For firewalls managed by Strata Cloud Supervisor (SCM), customers can both disable DNS safety logging immediately on every system, or accomplish that all by opening a help case. For Prisma Entry tenants managed by SCM, it’s endorsed to open a help case to disable logging till the improve.
