Palo Alto Networks Security Advisories / CVE-2024-9468

CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet

047910
Severity 8.2 · HIGH
Urgency MODERATE
Response Effort LOW
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity HIGH
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.2NoneAll
PAN-OS 11.1< 11.1.3>= 11.1.3
PAN-OS 11.0< 11.0.4-h5, < 11.0.6>= 11.0.4-h5, >= 11.0.6
PAN-OS 10.2< 10.2.9-h11, < 10.2.10-h4, < 10.2.11>= 10.2.9-h11, >= 10.2.10-h4, >= 10.2.11
PAN-OS 10.1NoneAll
Prisma Access NoneAll

Required Configuration for Exposure

This issue affects only PAN-OS configurations where all of the following are true:

* Threat Prevention is enabled.

* The Threat Prevention signature 86467 ("Possible Domain Fronting Detection-SNI") is enabled on an Anti-Spyware profile.

* This setting is enabled: Device > Setup > Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection.

Severity: HIGH

CVSSv4.0 Base Score: 8.2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-787 Out-of-bounds Write

Solution

This issue is fixed in 10.2.9-h11, 10.2.10-h4, PAN-OS 10.2.11, PAN-OS 11.0.4-h5, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions.

Workarounds and Mitigations

Customers can block attacks for this vulnerability by disabling this setting: Device > Setup Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection.

Customers with a Threat Prevention subscription, who want to keep domain fronting detection enabled, can block attacks for this vulnerability by enabling Threat ID 94971 (introduced in Applications and Threats content version 8854).

Acknowledgments

This issue was found by Jeff Luo of Palo Alto Networks during internal review.

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*

Timeline

Clarified the Required Configuration for Exposure section
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.