CVE-2024-3386 PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended
Description
An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.1-h2, < 11.0.2 | >= 11.0.1-h2, >= 11.0.2 |
| PAN-OS 10.2 | < 10.2.4-h2, < 10.2.5 | >= 10.2.4-h2, >= 10.2.5 |
| PAN-OS 10.1 | < 10.1.9-h3, < 10.1.10 | >= 10.1.9-h3, >= 10.1.10 |
| PAN-OS 10.0 | < 10.0.13 | >= 10.0.13 |
| PAN-OS 9.1 | < 9.1.17 | >= 9.1.17 |
| PAN-OS 9.0 | < 9.0.17-h2 | >= 9.0.17-h2 |
| Prisma Access | None | All |
Required Configuration for Exposure
You must configure Predefined Decryption Exclusions on your PAN-OS firewalls. You should check to see whether you have any configured exclusions in your firewall web interface (Device > Certificate Management > SSL Decryption Exclusions).
Severity: MEDIUM
CVSSv4.0 Base Score: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-436 Interpretation Conflict
Solution
This issue is fixed in 9.0.17-h2, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h3, 10.1.10, 10.2.4-h2, 10.2.5, 11.0.1-h2, 11.0.2, and all later PAN-OS versions.