Palo Alto Networks Security Advisories / CVE-2024-2550

CVE-2024-2550 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet

Urgency MODERATE

047910
Severity 6.6 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
CVE JSON CSAF
Published 2024-11-13
Updated 2025-01-06
Reference PAN-244950, PAN-221352
Discovered externally

Description

A null pointer dereference vulnerability in the GlobalProtect gateway in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop the GlobalProtect service on the firewall by sending a specially crafted packet that causes a denial of service (DoS) condition. Repeated attempts to trigger this condition result in the firewall entering maintenance mode.

Product Status

VersionsAffectedUnaffected
Cloud NGFWNone
All
PAN-OS 11.2None
All
PAN-OS 11.1< 11.1.4-h9
< 11.1.5
>= 11.1.4-h9
>= 11.1.5
PAN-OS 11.0< 11.0.6
>= 11.0.6
PAN-OS 10.2< 10.2.7-h21
< 10.2.8-h18
< 10.2.9-h18
< 10.2.10-h10
< 10.2.11
>= 10.2.7-h21
>= 10.2.8-h18
>= 10.2.9-h18
>= 10.2.10-h10
>= 10.2.11
PAN-OS 10.1None
All
Prisma AccessNone
All

Required Configuration for Exposure

This issue impacts only firewalls on which you configured a GlobalProtect gateway. You can verify whether you configured GlobalProtect gateway by checking for entries in your firewall web interface (Network → GlobalProtect → Gateways).

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 6.6 / CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-476 NULL Pointer Dereference

CAPEC-129 Pointer Manipulation

Solution

This issue is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.5, and all later PAN-OS versions.

In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making additional fixes available as noted below:

Workarounds and Mitigations

No workaround or mitigation is available.

Acknowledgments

Palo Alto Networks thanks Michael Baker from AC3 for discovering and reporting the issue."

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h20:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*

Timeline

Added additional fixed versions for PAN-OS 10.2
Updated the Product Status table
Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.