Palo Alto Networks Security Advisories / CVE-2024-3386

CVE-2024-3386 PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended

Urgency MODERATE

047910
Severity 6.9 · MEDIUM
Response Effort LOW
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity LOW
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.1-h2, < 11.0.2>= 11.0.1-h2, >= 11.0.2
PAN-OS 10.2< 10.2.4-h2, < 10.2.5>= 10.2.4-h2, >= 10.2.5
PAN-OS 10.1< 10.1.9-h3, < 10.1.10>= 10.1.9-h3, >= 10.1.10
PAN-OS 10.0< 10.0.13>= 10.0.13
PAN-OS 9.1< 9.1.17>= 9.1.17
PAN-OS 9.0< 9.0.17-h2>= 9.0.17-h2
Prisma Access NoneAll

Required Configuration for Exposure

You must configure Predefined Decryption Exclusions on your PAN-OS firewalls. You should check to see whether you have any configured exclusions in your firewall web interface (Device > Certificate Management > SSL Decryption Exclusions).

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-B: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-436 Interpretation Conflict

Solution

This issue is fixed in 9.0.17-h2, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h3, 10.1.10, 10.2.4-h2, 10.2.5, 11.0.1-h2, 11.0.2, and all later PAN-OS versions.

Acknowledgments

Palo Alto Networks thanks Frederic De Vlieger for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.