Date of Disclosure (source): December 26, 2024
Date Reported as Actively Exploited (source): December 30, 2024
CVE-2024-3393 is a Denial of Service (DoS) vulnerability affecting PA-Series firewalls, VM-Series firewalls, CN-Series firewalls, and Prisma Access running the DNS Security feature in the following PAN-OS versions:
- PAN-OS 11.2: < 11.2.3
- PAN-OS 11.1: < 11.1.5
- PAN-OS 10.2: >= 10.2.8 and < 10.2.14
- PAN-OS 10.1: >= 10.1.14 and < 10.1.15
- Prisma Access: >= 10.2.8 on PAN-OS and < 11.2.3 on PAN-OS
If successfully exploited, an unauthenticated attacker can send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
When a firewall enters maintenance mode, it temporarily stops enforcing security policies and protecting network traffic. Repeatedly triggering this condition could force the firewall to remain in maintenance mode, effectively disabling network security controls.
CVE-2024-3393 was added to CISA KEV on December 30, 2024, and Palo Alto Networks has observed its firewalls blocking malicious DNS packets exploiting this vulnerability. Their security advisory provides patching instructions and mitigation steps for unexpected reboots when the fix cannot be immediately applied.
| Field |
Details |
| CVE-ID |
CVE-2024-3393 – CVSS 8.7 (high) – assigned by Palo Alto Networks |
| Vulnerability Description |
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. |
| Date of Disclosure |
December 26, 2024 |
| Affected Assets |
PA-Series firewalls, VM-Series firewalls, CN-Series firewalls, and Prisma Access running the DNS Security feature. |
| Vulnerable Software Versions |
PAN-OS 11.2: < 11.2.3
PAN-OS 11.1: < 11.1.5
PAN-OS 10.2: >= 10.2.8 and < 10.2.14
PAN-OS 10.1: >= 10.1.14 and < 10.1.15
Prisma Access: >= 10.2.8 on PAN-OS and < 11.2.3 on PAN-OS |
| PoC Available? |
We did not observe any public exploits available at the time of writing. |
| Exploitation Status |
CVE-2024-3393 was added to CISA KEV on December 30, 2024. |
| Patch Status |
This issue is fixed in PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions. Palo Alto Networks provided additional instructions for workarounds and mitigations in their security advisory. |
Censys Perspective
At the time of writing, Censys observed 271,455 of exposed devices running PAN-OS software. A large proportion of these (40%) are geolocated in the United States. Note that not all instances observed are vulnerable as we do not have specific versions available.
Most of these observed devices are GlobalProtect Portals, but GlobalProtect portals are typically configured on an existing interface of a Palo Alto Networks firewall according to GlobalProtect documentation.
Map of Exposed Devices Running PAN-OS:
Censys Search Query:
services.software: (vendor="Palo Alto Networks" and product="PAN-OS") and not labels: {honeypot, tarpit}
Censys ASM Query:
host.services.software: (vendor="Palo Alto Networks" and product="PAN-OS") and not host.labels: {honeypot, tarpit}
References
