Note: This Emerging Threat is also published in the new Fortra Security & Trust Center - the new location for all Emerging Threats beginning in January 2025. Refer to Emerging Threats Moving to Fortra.com for more information on following Emerging Threats in their new location.
Fortra is actively researching a vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software – CVE-2024-3393. This vulnerability could allow an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
Palo Alto has released fixes for this vulnerability, and customers are encouraged to update to a fixed version as soon as possible.
Who is affected?
PAN-OS software is vulnerable in the following versions with a specific configuration, detailed below.
- PAN-OS 11.2 < 11.2.3*
- PAN-OS 11.1 < 11.1.5*
- PAN-OS 10.2 >= 10.2.8*, < 10.2.14*
- PAN-OS 10 >= 10.1.14*, < 10.1.15*
- Prisma Access >= 10.2.8* on PAN-OS, < 11.2.3* on PAN-OS
Both of the following configurations must be true for PAN-OS software to be affected.
- Either a DNS Security License or an Advanced DNS Security License must be applied.
- DNS Security logging must be enabled.
Note: Cloud NGFW and PAN-OS 9 are not affected by this vulnerability.
What can I do?
This issue has been fixed in the following and all later versions of PAN-OS.
- PAN-OS 10.1.14-h8
- PAN-OS 10.2.10-h12
- PAN-OS 11.1.5
- PAN-OS 11.2.3
For more information about this vulnerability, fixed versions, and additional mitigation steps, refer to Palo Alto’s security advisory.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan detection on January 3, 2025, to identify vulnerable instances.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
01/03/2025: Alert Logic released unauthenticated scan detection to identify vulnerable instances.
Comments
0 comments
Please sign in to leave a comment.