Palo Alto Networks Security Advisories / CVE-2024-3386

CVE-2024-3386 PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended

Severity 6.9 · MEDIUM
Response Effort LOW
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity LOW
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE


An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.

Product Status

Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.1-h2, < 11.0.2>= 11.0.1-h2, >= 11.0.2
PAN-OS 10.2< 10.2.4-h2, < 10.2.5>= 10.2.4-h2, >= 10.2.5
PAN-OS 10.1< 10.1.9-h3, < 10.1.10>= 10.1.9-h3, >= 10.1.10
PAN-OS 10.0< 10.0.13>= 10.0.13
PAN-OS 9.1< 9.1.17>= 9.1.17
PAN-OS 9.0< 9.0.17-h2>= 9.0.17-h2
Prisma Access NoneAll

Required Configuration for Exposure

You must configure Predefined Decryption Exclusions on your PAN-OS firewalls. You should check to see whether you have any configured exclusions in your firewall web interface (Device > Certificate Management > SSL Decryption Exclusions).

Severity: MEDIUM

CVSSv4.0 Base Score: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-436 Interpretation Conflict


This issue is fixed in 9.0.17-h2, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h3, 10.1.10, 10.2.4-h2, 10.2.5, 11.0.1-h2, 11.0.2, and all later PAN-OS versions.


Palo Alto Networks thanks Frederic De Vlieger for discovering and reporting this issue.


Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.