CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet
Description
A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Cloud NGFW | None | All |
PAN-OS | 10.1 None, 11.2 None | 10.1 All, 11.2 All |
PAN-OS 11.1 | < 11.1.3 | >= 11.1.3 |
PAN-OS 11.0 | < 11.0.4-h5, < 11.0.6 | >= 11.0.4-h5, >= 11.0.6 |
PAN-OS 10.2 | < 10.2.9-h11, < 10.2.10-h4, < 10.2.11 | >= 10.2.9-h11, >= 10.2.10-h4, >= 10.2.11 |
Prisma Access | None | All |
Required Configuration for Exposure
This issue affects only PAN-OS configurations where all of the following are true: * Threat Prevention is enabled. * The Threat Prevention signature 86467 ("Possible Domain Fronting Detection-SNI") is enabled on an Anti-Spyware profile. * This setting is enabled: Device > Setup > Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection.
Severity: HIGH, Suggested Urgency: MODERATE
CVSS-BT: 8.2 / CVSS-B: 8.2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
Solution
This issue is fixed in 10.2.9-h11, 10.2.10-h4, PAN-OS 10.2.11, PAN-OS 11.0.4-h5, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions.
Workarounds and Mitigations
Customers can block attacks for this vulnerability by disabling this setting: Device > Setup Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection. Customers with a Threat Prevention subscription, who want to keep domain fronting detection enabled, can block attacks for this vulnerability by enabling Threat ID 94971 (introduced in Applications and Threats content version 8854).
Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*