Palo Alto Networks has issued an urgent security patch for a high-severity vulnerability in its PAN-OS software that could lead to a denial-of-service (DoS) condition on vulnerable devices. The flaw, tracked as CVE-2024-3393, impacts PAN-OS versions 10.X and 11.X, as well as specific releases of Prisma Access. An unauthenticated attacker can exploit this vulnerability by sending malicious DNS packets through the firewall’s data plane, causing the firewall to reboot. If the attack is repeated, the firewall may enter maintenance mode, leading to potential network disruptions. The flaw has been assigned a CVSS score of 8.7, indicating its severity.
The issue is most notably present in firewalls with DNS Security logging enabled, making these devices more susceptible to exploitation. Palo Alto Networks discovered the vulnerability in production use and has received reports of customers experiencing DoS attacks due to the malicious packets. The vulnerability affects firewalls running various PAN-OS releases, with some versions seeing a severity drop to a CVSS score of 7.1 when access is only provided to authenticated users through Prisma Access.
Palo Alto Networks has addressed the issue in several PAN-OS versions, including PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, and PAN-OS 11.2.3, and users are encouraged to update their systems immediately. The company has also extended fixes to other commonly deployed maintenance releases, ensuring broader protection for affected users. However, no fix is available for PAN-OS 11.0, as it has reached its end-of-life status. Organizations using older versions are strongly urged to upgrade to supported releases as soon as possible.
For organizations unable to apply the update immediately, Palo Alto Networks has provided mitigation options. Customers with unmanaged firewalls or those managed by Panorama can disable DNS Security logging by adjusting settings in the Anti-Spyware profile. Similarly, users managing firewalls via Strata Cloud Manager (SCM) can disable logging across all devices or reach out to Palo Alto Networks support for assistance. While these workarounds can help mitigate risk, a full update to the latest PAN-OS version remains the most effective solution to eliminate the vulnerability.