Palo Alto Networks has disclosed a high-severity vulnerability, CVE-2024-3393, in its PAN-OS software that powers its next-generation firewalls.
The flaw allows unauthenticated attackers to exploit the DNS Security feature by sending specially crafted DNS packets, triggering a Denial of Service (DoS) condition. This vulnerability can cause affected firewalls to reboot and enter maintenance mode if exploited repeatedly.
The issue stems from improper handling of exceptional conditions within the DNS Security feature of PAN-OS. Attackers can send malicious packets through the firewall’s data plane, causing it to crash and reboot.
This flaw has been rated with a CVSS score of 8.7 (High), indicating significant potential for disruption. The attack complexity is low, requires no user interaction or privileges, and can be executed remotely over a network.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
The vulnerability impacts multiple versions of PAN-OS:
Prisma Access customers using vulnerable PAN-OS versions are also at risk.
Palo Alto Networks has confirmed reports of exploitation in production environments, where attackers have successfully triggered DoS conditions by exploiting this vulnerability.
While the flaw does not compromise confidentiality or integrity, it significantly impacts availability, making it a critical concern for organizations relying on these firewalls for network security.
Palo Alto Networks has released patches to address the issue in the following versions:
Customers are strongly advised to upgrade to these versions or later to mitigate the risk.
For those unable to apply fixes immediately, temporary workarounds include disabling DNS Security logging:
Organizations using Palo Alto firewalls should:
This vulnerability highlights the critical importance of timely patch management and robust monitoring practices to safeguard network infrastructure against emerging threats.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
About The Author
More Stories
From Email to Case Study: What We Learned About Connecting Refugee Communities in Just One Year
Local Infrastructure, Lower Costs: How Peering Is Moving the Needle on Internet Affordability
On Global Accessibility Awareness Day, An Internet for Everyone Must Include Everyone