CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet
Description
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
This issue is applicable to the PAN-OS software versions listed below on PA-Series firewalls, VM-Series firewalls, CN-Series firewalls, and Prisma Access.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS | None on Panorama | All on Panorama |
| PAN-OS 11.2 | < 11.2.3* | >= 11.2.3* |
| PAN-OS 11.1 | < 11.1.5* | >= 11.1.5* |
| PAN-OS 10.2 | >= 10.2.8*, < 10.2.14* | < 10.2.8*, >= 10.2.14* |
| PAN-OS 10.1 | >= 10.1.14*, < 10.1.15* | < 10.1.14*, >= 10.1.15* |
| PAN-OS 10.0 | None | All |
| PAN-OS 9.1 | None | All |
| Prisma Access | >= 10.2.8* on PAN-OS, < 11.2.3* on PAN-OS | < 10.2.8* on PAN-OS, >= 11.2.3* on PAN-OS |
* See the Solution section for additional fixes and ETAs for commonly deployed maintenance releases.
Required Configuration for Exposure
This issue does not affect Cloud NGFW, Panorama M-Series, or Panorama virtual appliances.
Both of the following must be true for PAN-OS software to be affected:
- Either a DNS Security License or an Advanced DNS Security License must be applied, AND
- DNS Security logging must be enabled.
Severity: HIGH, Suggested Urgency: MODERATE
An attacker sends a malicious packet through the firewall, which processes a malicious packet that triggers this issue.
CVSS-BT:
8.7 /
CVSS-B:
8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:A/AU:N/R:U/V:C/RE:M/U:Amber)
Prisma Access, when only providing access to authenticated end users, processes a malicious packet that triggers this issue.
CVSS-BT:
7.1 /
CVSS-B:
7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:A/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
Solution
This issue is fixed in PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.
Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release.
Prisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case.
In addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.
Additional PAN-OS 11.1 releases with the fix:
- 11.1.2-h16 (available)
- 11.1.3-h13 (available)
- 11.1.4-h7 (available)
- 11.1.5 (available)
- 10.2.8-h19 (available)
- 10.2.9-h19 (available)
- 10.2.10-h12 (available)
- 10.2.11-h10 (available)
- 10.2.12-h4 (available)
- 10.2.13-h2 (available)
- 10.2.14 (ETA: end of Jan)
- 10.1.14-h8 (available)
- 10.1.15 (ETA: end of Jan)
- 10.2.9-h19 (available)
- 10.2.10-h12 (available)
Workarounds and Mitigations
If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment.
Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama
- Within Objects → Security Profiles, determine if you use the predefined Anti-Spyware profiles in your Security Policy. These are named "Default" or "Strict". If you are using the predefined security profiles, clone the predefined Anti-Spyware profile for use as a custom Anti-Spyware profile. After cloning each relevant predefined Anti-Spyware profile, replace them with the cloned custom Anti-Spyware profile or group in your Security Rules (Policies → Security → (security rule) in either Actions → Profiles or Actions → Group).
- For each custom Anti-Spyware profile, navigate to Objects → Security Profiles → Anti-Spyware → (select a custom profile) → DNS Policies → DNS Security.
- Change the Log Severity to "none" for all configured DNS Security categories.
- Commit the changes.
NGFW managed by Strata Cloud Manager (SCM)
- Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.
- Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case.
Prisma Access managed by Strata Cloud Manager (SCM)
Until we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case. If you would like to expedite the upgrade, please make a note of that in the support case.
Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:*