Palo Alto Networks has disclosed a high-severity vulnerability impacting PAN-OS software program that might trigger a denial-of-service (DoS) situation on inclined units.
The flaw, tracked as CVE-2024-3393 (CVSS rating: 8.7), impacts PAN-OS variations 10.X and 11.X, in addition to Prisma Entry operating PAN-OS variations 10.2.8 and later or previous to 11.2.3. It has been addressed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS variations.
“A denial-of-service vulnerability within the DNS Safety function of Palo Alto Networks PAN-OS software program permits an unauthenticated attacker to ship a malicious packet by the info aircraft of the firewall that reboots the firewall,” the corporate stated in a Friday advisory.
“Repeated makes an attempt to set off this situation will trigger the firewall to enter upkeep mode.”
Palo Alto Networks stated it found the flaw in manufacturing use, and that it is conscious of shoppers “experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that set off this concern.”
The extent of the exercise is presently unknown. When reached for remark, the corporate acknowledged that the vulnerability is getting used within the wild. “We proactively launched this advisory to offer transparency and equip our prospects with the knowledge wanted to guard their environments,” it instructed The Hacker Information.
It is value stating that firewalls which have the DNS Safety logging enabled are affected by CVE-2024-3393. Moreover, the severity of the flaw drops to a CVSS rating of seven.1 when entry is simply supplied to authenticated finish customers by way of Prisma Entry.
The fixes have additionally been prolonged to different generally deployed upkeep releases –
- PAN-OS 11.1 (11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and 11.1.5)
- PAN-OS 10.2 (10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, and 10.2.14)
- PAN-OS 10.1 (10.1.14-h8 and 10.1.15)
- PAN-OS 10.2.9-h19 and 10.2.10-h12 (solely relevant to Prisma Entry)
- PAN-OS 11.0 (No repair owing to it reaching end-of-life standing on November 17, 2024)
As workarounds and mitigations for unmanaged firewalls or these managed by Panorama, prospects have the choice of setting Log Severity to “none” for all configured DNS Safety classes for every Anti-Spyware and adware profile by navigating to Objects > Safety Profiles > Anti-spyware > (choose a profile) > DNS Insurance policies > DNS Safety.
For firewalls managed by Strata Cloud Supervisor (SCM), customers can both observe the above steps to disable DNS Safety logging straight on every machine, or throughout all of them by opening a help case. For Prisma Entry tenants managed by SCM, it is advisable to open a help case to show off logging till an improve is carried out.
(The story was up to date after publication to incorporate a response from Palo Alto Networks and make sure stories of energetic exploitation within the wild.)