Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-3393
CVE-2024-3393:
PAN-OS vulnerability analysis and mitigation
Overview
A Denial of Service vulnerability (CVE-2024-3393) was discovered in the DNS Security feature of Palo Alto Networks PAN-OS software, affecting PA-Series firewalls, VM-Series firewalls, CN-Series firewalls, and Prisma Access. The vulnerability was disclosed on December 26, 2024, and was confirmed to be actively exploited by December 30, 2024. The affected versions include PAN-OS 11.2 (< 11.2.3), PAN-OS 11.1 (< 11.1.5), PAN-OS 10.2 (>= 10.2.8 and < 10.2.14), and PAN-OS 10.1 (>= 10.1.14 and < 10.1.15) (Palo Security).
Technical details
The vulnerability allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that triggers a reboot. The issue is specifically tied to the DNS Security feature and requires either a DNS Security License or an Advanced DNS Security License to be applied, along with DNS Security logging being enabled. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:U/V:C/RE:M/U:Amber. The weakness is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions) (Palo Security, NVD).
Impact
When successfully exploited, the vulnerability causes the firewall to reboot, and repeated attempts to trigger this condition will force the firewall to enter maintenance mode. In maintenance mode, the firewall temporarily stops enforcing security policies and protecting network traffic, effectively disabling network security controls. This can lead to significant disruption of network security operations (Censys, Palo Security).
Mitigation and workarounds
The vulnerability has been fixed in PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later versions. For systems that cannot immediately apply the fix, Palo Alto Networks recommends changing the Log Severity to 'none' for all configured DNS Security categories. For unmanaged NGFWs or those managed by Panorama, administrators should clone and modify predefined Anti-Spyware profiles. Prisma Access customers can request an expedited upgrade or disable DNS Security logging across all NGFWs by opening a support case (Palo Security).
Community reactions
The vulnerability has garnered significant attention from the cybersecurity community, leading to its rapid inclusion in CISA's KEV catalog. Palo Alto Networks has acknowledged the CERT-EE team for their forensic and analytic assistance in addressing this vulnerability (Palo Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management