Palo Alto Networks Security Advisories / CVE-2024-3385

CVE-2024-3385 PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled

Severity 8.2 · HIGH
Response Effort LOW
Recovery USER
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements PRESENT
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE


A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.

This affects the following hardware firewall models:

- PA-5400 Series firewalls

- PA-7000 Series firewalls

Product Status

Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.3>= 11.0.3
PAN-OS 10.2< 10.2.8>= 10.2.8
PAN-OS 10.1< 10.1.12>= 10.1.12
PAN-OS 9.1< 9.1.17>= 9.1.17
PAN-OS 9.0< 9.0.17-h4>= 9.0.17-h4
Prisma Access NoneAll

Required Configuration for Exposure

This does not affect VM-Series firewalls, CN-Series firewalls, Cloud NGFWs, or Prisma Access.

This issue affects only PAN-OS configurations with GTP Security disabled; it does not affect PAN-OS configurations that have GTP Security enabled. You should verify whether GTP Security is disabled by checking your firewall web interface (Device > Setup > Management > General Settings) and take the appropriate actions as needed.

Severity: HIGH

CVSSv4.0 Base Score: 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.

Weakness Type

CWE-20 Improper Input Validation

CWE-476: NULL Pointer Dereference


This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.

Workarounds and Mitigations

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94993 (introduced in Applications and Threats content version 8832).


Palo Alto Networks thanks an external reporter for discovering and reporting this issue.


Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.