CVE-2024-9468: 
PAN-OS vulnerability analysis and mitigation

A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. This vulnerability, identified as CVE-2024-9468, was discovered internally by Jeff Luo of Palo Alto Networks and disclosed on October 9, 2024. The vulnerability affects specific versions of PAN-OS 11.1, 11.0, and 10.2 (Palo Advisory).

The vulnerability is classified with a CVSS 4.0 Base Score of 8.2 (HIGH) with the following vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber. The weakness is categorized as CWE-787 (Out-of-bounds Write). The vulnerability only affects PAN-OS configurations where Threat Prevention is enabled, Threat Prevention signature 86467 is enabled on an Anti-Spyware profile, and SSL Decryption Settings for sending handshake messages to CTD for inspection is enabled (Palo Advisory).

When successfully exploited, this vulnerability can cause the PAN-OS system to crash, leading to a denial of service condition. Repeated exploitation attempts will result in PAN-OS entering maintenance mode, potentially causing significant service disruption (Palo Advisory).

The vulnerability has been fixed in PAN-OS versions 10.2.9-h11, 10.2.10-h4, PAN-OS 10.2.11, PAN-OS 11.0.4-h5, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later versions. As a workaround, customers can disable the setting: Device > Setup Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection. Alternatively, customers with a Threat Prevention subscription can enable Threat ID 94971 (introduced in Applications and Threats content version 8854) (Palo Advisory).