CVE-2024-3393 is a high-severity Denial of Service (DoS) vulnerability discovered in the DNS Security feature of Palo Alto Networks’ PAN-OS software. This vulnerability can be exploited by an unauthenticated attacker, meaning the attacker does not need any credentials or special permissions to execute the attack.
Key Details:
- CVSS Score: 8.7 (High)
- Affected Versions:
- PAN-OS 11.2 (versions earlier than 11.2.3)
- PAN-OS 11.1 (versions earlier than 11.1.5)
- PAN-OS 10.2 (versions earlier than 10.2.10-h12 or 10.2.13-h2)
- PAN-OS 10.1 (versions earlier than 10.1.14-h8)
How It Works:
An attacker can exploit this vulnerability by sending a specially crafted malicious packet through the firewall’s data plane. The data plane is responsible for processing network traffic and enforcing security policies. When the firewall receives this malicious packet, it causes the device to reboot unexpectedly. Repeated exploitation of this vulnerability can force the firewall into a maintenance mode, significantly impacting the availability of network services.
Impact:
- Attack Vector: Network-based (the attack can be executed remotely)
- Privileges Required: None (no authentication or special permissions needed)
- User Interaction: None (the victim does not need to take any action)
- Impact on CIA Triad:
- Confidentiality: No impact
- Integrity: No impact
- Availability: High impact (network services can be disrupted)
Mitigation:
Palo Alto Networks has released patches to address this vulnerability in the following versions:
- PAN-OS 11.2.3 and later
- PAN-OS 11.1.5 and later
- PAN-OS 10.2.10-h12, PAN-OS 10.2.13-h2, and later
- PAN-OS 10.1.14-h8 and later
Organizations using affected versions of PAN-OS are strongly urged to apply these patches as soon as possible to mitigate the risk. If immediate patching is not feasible, disabling DNS Security logging is recommended as a temporary workaround to reduce the potential impact of this vulnerability.
