Palo Alto Networks has disclosed a high-severity vulnerability impacting PAN-OS software program that would trigger a denial-of-service (DoS) situation on prone gadgets.
The flaw, tracked as CVE-2024-3393 (CVSS rating: 8.7), impacts PAN-OS variations 10.X and 11.X, in addition to Prisma Entry operating PAN-OS variations. It has been addressed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS variations.
“A denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall,” the corporate mentioned in a Friday advisory.
“Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.”
Palo Alto Networks mentioned it found the flaw in manufacturing use, and that it is conscious of shoppers “experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.”
The extent of the exercise is presently unknown. The Hacker Information has reached out to Palo Alto Networks for additional remark, and we’ll replace the story if we hear again.
It is value stating that firewalls which have the DNS Safety logging enabled are affected by CVE-2024-3393. The severity of the flaw additionally drops to a CVSS rating of seven.1 when entry is just offered to authenticated finish customers through Prisma Entry.
The fixes have additionally been prolonged to different generally deployed upkeep releases –
- PAN-OS 11.1 (11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and 11.1.5)
- PAN-OS 10.2 (10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, and 10.2.14)
- PAN-OS 10.1 (10.1.14-h8 and 10.1.15)
- PAN-OS 10.2.9-h19 and 10.2.10-h12 (solely relevant to Prisma Entry)
- PAN-OS 11.0 (No repair owing to it reaching end-of-life standing on November 17, 2024)
As workarounds and mitigations for unmanaged firewalls or these managed by Panorama, prospects have the choice of setting Log Severity to “none” for all configured DNS Safety classes for every Anti-Spyware and adware profile by navigating to Objects > Safety Profiles > Anti-spyware > (choose a profile) > DNS Insurance policies > DNS Safety.
For firewalls managed by Strata Cloud Supervisor (SCM), customers can both observe the above steps to disable DNS Safety logging instantly on every system, or throughout all of them by opening a assist case. For Prisma Entry tenants managed by SCM, it is really helpful to open a assist case to show off logging till an improve is carried out.
