Palo Alto Networks Security Advisories / CVE-2024-9472

CVE-2024-9472 PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

Urgency MODERATE

047910
Severity 6.6 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.

Palo Alto Networks VM-Series, Cloud NGFW, and Prisma Access are not affected.

This issue only affects PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series running these specific versions of PAN-OS:

Product Status

VersionsAffectedUnaffected
Cloud NGFWNoneAll
PAN-OS 11.2< 11.2.2-h3, < 11.2.3>= 11.2.2-h3, >= 11.2.3
PAN-OS 11.1< 11.1.2-h14, < 11.1.3-h10>= 11.1.2-h14, >= 11.1.3-h10
PAN-OS 11.0NoneAll
PAN-OS 10.2< 10.2.7-h16, < 10.2.8-h13, < 10.2.9-14, < 10.2.10-h7, < 10.2.11-h4>= 10.2.7-h16, >= 10.2.8-h13, >= 10.2.9-14, >= 10.2.10-h7, >= 10.2.11-h4
PAN-OS 10.1NoneAll
Prisma AccessNoneAll

Required Configuration for Exposure

This issue is only applicable firewalls where url proxy or any decrypt-policy is configured.

When any decrypt policy is configured, this issue may be encountered regardless of whether traffic matches explicit decrypt, explicit no-decrypt, or none of the decryption policies.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 6.6 / CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. However, customers have reported encountering this issue during normal operations.

Weakness Type and Impact

CWE-476 NULL Pointer Dereference

CAPEC-129 Pointer Manipulation

Solution

This issue is fixed in PAN-OS 10.2.7-h16, PAN-OS 10.2.8-h13, PAN-OS 10.2.9-h14, PAN-OS 10.2.10-h7, PAN-OS 10.2.11-h4, PAN-OS 11.1.2-h14, PAN-OS 11.1.3-h10, PAN-OS 11.2.2-h3, PAN-OS 11.2.3, and all later PAN-OS versions.

Workarounds and Mitigations

This issue does not impact firewalls that do not have url proxy or any decrypt-policy configured.

The issue can be completely mitigated by setting this option:

set system setting ctd nonblocking-pattern-match disable

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.