Hackers exploit DoS flaw to disable Palo Alto Networks firewalls

Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot.

Leveraging the safety subject repeatedly, nonetheless, causes the gadget to enter upkeep mode and guide intervention is required to revive it to regular operations.

“A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall,” reads the advisory.

DoS bug is actively exploited

Palo Alto Networks says that exploiting the vulnerability is feasible by an unauthenticated attacker that sends a specifically crafted, malicious packet to an affected gadget.

The difficulty solely impacts units the place ‘DNS Safety’ logging is enabled, whereas the product variations affected by CVE-2024-3393 are proven under.

Versions

The seller confirmed that the flaw is actively exploited, noting that clients skilled outages when their firewall blocked malicious DNS packets from attackers leveraging the problem.

The corporate has addressed the flaw in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and subsequent releases.

Nonetheless, it is famous that PAN-OS 11.0, which is impacted by CVE-2024-3393, won’t obtain a patch as a result of that model has reached its end-of-life (EOL) date on November 17.

Palo Alto Networks has additionally revealed workarounds and steps to mitigate the issue for individuals who can not instantly replace:

For unmanaged NGFWs, NGFWs managed by Panorama, or Prisma Entry Managed by Panorama:

  1. Navigate to: Objects → Safety Profiles → Anti-spyware → DNS Insurance policies → DNS Safety for every Anti-spyware profile.
  2. Change the Log Severity to “none” for all configured DNS Safety classes.
  3. Commit the modifications and revert the Log Severity settings after making use of the fixes.

For NGFWs managed by Strata Cloud Supervisor (SCM):

  • Possibility 1: Disable DNS Safety logging straight on every NGFW utilizing the steps above.
  • Possibility 2: Disable DNS Safety logging throughout all NGFWs within the tenant by opening a assist case.

For Prisma Entry managed by Strata Cloud Supervisor (SCM):

  1. Open a assist case to disable DNS Safety logging throughout all NGFWs in your tenant.
  2. If wanted, request to expedite the Prisma Entry tenant improve within the assist case.

Recent articles