Palo Alto Networks Releases Patch for PAN-OS Denial-of-Service Vulnerability
2024-12-27
Need some ammo against Palo Alto Networks? This article is for you!
Palo Alto Networks has identified a high-severity vulnerability in its PAN-OS software that can lead to a denial-of-service (DoS) condition on affected devices. This flaw impacts specific versions of PAN-OS and Prisma Access and has been actively exploited. Palo Alto has released patches for various PAN-OS versions to mitigate the issue and advises disabling DNS Security logging as a workaround for unmanaged firewalls. The vulnerability has been included in CISA's Known Exploited Vulnerabilities catalog, mandating patch application by January 20, 2025, for certain agencies.
Patch Management
Palo Alto Networks, PAN-OS, CVE-2024-3393, Denial-of-Service, Vulnerability Patch
Palo Alto Networks, PAN-OS, Prisma Access
Palo Alto Networks has released a critical update to address a high-severity vulnerability in its PAN-OS software, which could lead to a denial-of-service (DoS) condition on affected devices. This flaw impacts certain versions of PAN-OS and Prisma Access. The company has issued patches to mitigate the risk and recommends users apply these updates promptly. The vulnerability, identified as CVE-2024-3393, is a denial-of-service issue found in the DNS Security feature of PAN-OS. An unauthenticated attacker can exploit this flaw by sending a malicious packet through the firewall's data plane, causing the device to reboot. Repeated attacks could force the firewall into maintenance mode, disrupting service. The affected PAN-OS versions include 10.X and 11.X, as well as Prisma Access running versions from 10.2.8 onwards or versions prior to 11.2.3. Patches have been provided for PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and all subsequent versions. Palo Alto Networks discovered this vulnerability during production use and has confirmed its exploitation in the wild. The company has been transparent about the issue to help customers protect their environments effectively. The flaw's severity score is reduced when access is restricted to authenticated end users via Prisma Access. Customers can apply the latest patches to protect against this vulnerability. For those managing firewalls without direct oversight or through Panorama, a temporary workaround involves disabling DNS Security logging. This can be done by setting Log Severity to "none" for DNS Security categories in the Anti-Spyware profile settings. For firewalls managed by Strata Cloud Manager (SCM), users can disable DNS Security logging on each device or across all devices by opening a support case. Prisma Access tenants managed by SCM are advised to open a support case to turn off logging until an upgrade is performed. The CVE-2024-3393 vulnerability has been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch agencies are required to apply the patches by January 20, 2025, to comply with security mandates.Palo Alto Networks PAN-OS Vulnerability Patch Release
Overview
Technical Details
Impacted Versions
Exploitation and Discovery
Mitigation Steps
Inclusion in CISA KEV Catalog
https://thehackernews.com/2024/12/palo-alto-releases-patch-for-pan-os-dos.html?m=1