CVE-2024-3384 PAN-OS: Firewall Denial of Service (DoS) via Malformed NTLM Packets
Description
A vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | None | All |
| PAN-OS 10.2 | None | All |
| PAN-OS 10.1 | None | All |
| PAN-OS 10.0 | < 10.0.12 | >= 10.0.12 |
| PAN-OS 9.1 | < 9.1.15-h1 | >= 9.1.15-h1 |
| PAN-OS 9.0 | < 9.0.17 | >= 9.0.17 |
| PAN-OS 8.1 | < 8.1.24 | >= 8.1.24 |
| Prisma Access | None | All |
Required Configuration for Exposure
This issue affects only PAN-OS configurations with NTLM authentication enabled. You should verify whether NTLM authentication is enabled by checking your firewall web interface (Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > NTLM).
Severity: HIGH
CVSSv4.0 Base Score: 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-1286 Improper Validation of Syntactic Correctness of Input
Solution
This issue is fixed in PAN-OS 8.1.24, PAN-OS 9.0.17, PAN-OS 9.1.15-h1, PAN-OS 10.0.12, and all later PAN-OS versions.