CVE-2024-3385 PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled
Description
A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.
This affects the following hardware firewall models:
- PA-5400 Series firewalls
- PA-7000 Series firewalls
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.3 | >= 11.0.3 |
| PAN-OS 10.2 | < 10.2.8 | >= 10.2.8 |
| PAN-OS 10.1 | < 10.1.12 | >= 10.1.12 |
| PAN-OS 9.1 | < 9.1.17 | >= 9.1.17 |
| PAN-OS 9.0 | < 9.0.17-h4 | >= 9.0.17-h4 |
| Prisma Access | None | All |
Required Configuration for Exposure
This does not affect VM-Series firewalls, CN-Series firewalls, Cloud NGFWs, or Prisma Access.
This issue affects only PAN-OS configurations with GTP Security disabled; it does not affect PAN-OS configurations that have GTP Security enabled. You should verify whether GTP Security is disabled by checking your firewall web interface (Device > Setup > Management > General Settings) and take the appropriate actions as needed.
Severity: HIGH
CVSSv4.0 Base Score: 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.
Weakness Type
CWE-20 Improper Input Validation
CWE-476: NULL Pointer Dereference
Solution
This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.
Workarounds and Mitigations
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94993 (introduced in Applications and Threats content version 8832).