%20(2).webp?w=1200&resize=1200,0&ssl=1&description=Palo+Alto+Networks+Vulnerability+Places+Firewalls+at+Danger+of+DoS+Assaults){kind=link}
%20(2).webp?w=1600&resize=1600,900&ssl=1 "Palo Alto Networks Vulnerability Places Firewalls at Danger of DoS Assaults")
A important vulnerability, CVE-2024-3393, has been recognized within the DNS Safety function of Palo Alto Networks’ PAN-OS software program.
This flaw permits unauthenticated attackers to take advantage of firewalls by specifically crafted packets, inflicting denial-of-service (DoS) circumstances.
The difficulty has been actively exploited, prompting pressing mitigation measures.
Particulars of the Vulnerability
The vulnerability stems from improper dealing with of malicious DNS packets inside the information airplane of affected firewalls.
2024 MITRE ATT&CK Analysis Outcomes for SMEs & MSPs -> Obtain Free Information
Attackers can ship a specifically crafted packet that forces the firewall to reboot. Repeated exploitation can push the firewall into upkeep mode, rendering it non-operational.
This problem is classed as excessive severity with a CVSS rating of 8.7, highlighting its important impression on system availability.
Key traits of the vulnerability embody:
- Assault Vector: Community-based
- Assault Complexity: Low
- Privileges Required: None
- Person Interplay: None
The flaw impacts particular variations of PAN-OS, together with variations beneath 11.2.3, 11.1.5, and sure upkeep releases of 10.1 and 10.2.
Affect and Exploitation
The vulnerability has been noticed in manufacturing environments the place DNS Safety logging is enabled.
Exploitation ends in service disruptions, notably for organizations counting on Palo Alto Networks’ firewalls for important community safety operations.
Whereas confidentiality and integrity are unaffected, availability is considerably compromised.
Palo Alto Networks has confirmed that prospects have skilled DoS assaults triggered by this problem.
The weak spot is categorized beneath CWE-754 (Improper Test for Uncommon or Distinctive Circumstances) and CAPEC-540 (Overread Buffers).
Mitigation and Fixes
Palo Alto Networks has launched patches to deal with the vulnerability within the following PAN-OS variations:
- PAN-OS 11.2: Mounted in model 11.2.3
- PAN-OS 11.1: Mounted in model 11.1.5
- PAN-OS 10.2: Mounted in variations 10.2.10-h12 and 10.2.13-h2
- PAN-OS 10.1: Mounted in model 10.1.14-h8
For Prisma Entry prospects, upgrades will likely be rolled out in phases on January third and January tenth, 2025. Clients can expedite upgrades by submitting help circumstances.
As a right away workaround, directors can disable DNS Safety logging by navigating to Anti-spyware profiles and setting DNS Safety log severity to “none.”
This short-term measure needs to be reverted as soon as fixes are utilized.
Organizations are urged to replace affected methods promptly or implement beneficial mitigations to forestall service disruptions attributable to this vulnerability.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Attempt for Free