Critical PAN-OS Security Flaw Triggers Firewall Crashes – Urgent Patch Released

Critical PAN-OS Security Flaw Triggers Firewall Crashes - Urgent Patch Released

Critical Security Vulnerability Discovered in PAN-OS Software

Palo Alto Networks has identified a high-severity vulnerability (CVE-2024-3393) affecting their PAN-OS software and Prisma Access systems. The vulnerability, rated with a CVSS score of 8.7, can trigger denial-of-service (DoS) conditions on affected devices.

Affected Systems:
– PAN-OS versions 10.X and 11.X
– Prisma Access running PAN-OS 10.2.8 and later versions (pre-11.2.3)

The vulnerability allows unauthorized attackers to send malicious packets through the firewall’s data plane, causing system reboots. Repeated attacks can force the firewall into maintenance mode. Systems with DNS Security logging enabled are particularly vulnerable.

Patched Versions:
– PAN-OS 10.1.14-h8
– PAN-OS 10.2.10-h12
– PAN-OS 11.1.5
– PAN-OS 11.2.3
– All subsequent PAN-OS versions

Temporary Mitigation Steps:
1. For unmanaged firewalls: Set Log Severity to “none” for DNS Security categories
2. For Strata Cloud Manager-managed firewalls: Disable DNS Security logging directly or via support
3. For Prisma Access tenants: Contact support to disable logging until upgrade completion

The vulnerability’s severity reduces to CVSS 7.1 when access is limited to authenticated Prisma Access users. Palo Alto Networks discovered this issue during production use and has confirmed customer incidents related to malicious DNS packets triggering the vulnerability.

Share This Article