Warning: Firewall Denial Of Service (DoS) In PAN-OS! Patch Immediately!
CVE-2024-3393: CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C)
Bronnen
Palo Alto Networks: https://security.paloaltonetworks.com/CVE-2024-3393
Risico’s
An unauthenticated attacker can exploit this vulnerability to cause a denial of service by rebooting the firewall or forcing it into maintenance mode. This could lead to network downtime, loss of protection, and potential exposure of internal networks to external threats. The primary impact is on system availability, with no direct effect on confidentiality or integrity.
The attack is network-based, requires low complexity, and needs no user interaction, making it relatively easy to exploit.
At the moment, the vulnerability is actively exploited according to Palo Alto Networks.
Beschrijving
A vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall. This will reboot the device. Repeated attempts will cause the firewall to enter maintenance mode and effectively cause a Denial of Service.
For more details see the website of the manufacturer: https://security.paloaltonetworks.com/CVE-2024-3393.
Aanbevolen acties
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Please patch your systems to the following software versions:
- Palo Alto Networks PAN-OS >= 11.2.3
- Palo Alto Networks PAN-OS >= 11.1.5
- Palo Alto Networks PAN-OS >= 10.2.1
- Palo Alto Networks PAN-OS >= 10.1.15
- Prisma Access >= 11.2.3 on PAN-OS
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Referenties
Zero-day.cz: https://www.zero-day.cz/database/945/
The Cyber Express: https://thecyberexpress.com/pan-os-versions-vulnerability-added-to-cisas/