Palo Alto Networks Security Advisories / CVE-2024-3385

CVE-2024-3385 PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled

Urgency MODERATE

047910
Severity 8.2 · HIGH
Response Effort LOW
Recovery USER
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements PRESENT
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.

This affects the following hardware firewall models:

- PA-5400 Series firewalls

- PA-7000 Series firewalls

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.3>= 11.0.3
PAN-OS 10.2< 10.2.8>= 10.2.8
PAN-OS 10.1< 10.1.12>= 10.1.12
PAN-OS 9.1< 9.1.17>= 9.1.17
PAN-OS 9.0< 9.0.17-h4>= 9.0.17-h4
Prisma Access NoneAll

Required Configuration for Exposure

This does not affect VM-Series firewalls, CN-Series firewalls, Cloud NGFWs, or Prisma Access.

This issue affects only PAN-OS configurations with GTP Security disabled; it does not affect PAN-OS configurations that have GTP Security enabled. You should verify whether GTP Security is disabled by checking your firewall web interface (Device > Setup > Management > General Settings) and take the appropriate actions as needed.

Severity: HIGH, Suggested Urgency: MODERATE

CVSS-B: 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.

Weakness Type

CWE-20 Improper Input Validation

CWE-476: NULL Pointer Dereference

Solution

This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.

Workarounds and Mitigations

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94993 (introduced in Applications and Threats content version 8832).

Acknowledgments

Palo Alto Networks thanks an external reporter for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.