CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet
Description
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
This issue is applicable to the PAN-OS software versions listed below on PA-Series firewalls, VM-Series firewalls, CN-Series firewalls, and Prisma Access.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS | None on Panorama | All on Panorama |
| PAN-OS 11.2 | < 11.2.3* | >= 11.2.3* |
| PAN-OS 11.1 | < 11.1.2-h16* < 11.1.3-h13* < 11.1.4-h6* < 11.1.5* | >= 11.1.2-h16* >= 11.1.3-h13* >= 11.1.4-h6* >= 11.1.5* |
| PAN-OS 10.2 | >= 10.2.8* < 10.2.8-h19 * < 10.2.9-h19 * < 10.2.10-h12* < 10.2.11-h10* < 10.2.12-h4* < 10.2.13-h2* < 10.2.14* | < 10.2.8* >= 10.2.8-h19 * >= 10.2.9-h19 * >= 10.2.10-h12* >= 10.2.11-h10* >= 10.2.12-h4* >= 10.2.13-h2* >= 10.2.14* |
| PAN-OS 10.1 | >= 10.1.14* < 10.1.14-h8* < 10.1.15* | < 10.1.14* >= 10.1.14-h8* >= 10.1.15* |
| PAN-OS 10.0 | None | All |
| PAN-OS 9.1 | None | All |
| Prisma Access | >= 10.2.8* on PAN-OS < 10.2.9-h19* on PAN-OS < 10.2.10-h12* on PAN-OS < 11.2.3* on PAN-OS | < 10.2.8* on PAN-OS >= 10.2.9-h19* on PAN-OS >= 10.2.10-h12* on PAN-OS >= 11.2.3* on PAN-OS |
* See the Solution section for additional fixes and ETAs for commonly deployed maintenance releases.
Required Configuration for Exposure
This issue does not affect Cloud NGFW, Panorama M-Series, or Panorama virtual appliances.
Both of the following must be true for PAN-OS software to be affected:
- Either a DNS Security License or an Advanced DNS Security License must be applied, AND
- DNS Security logging must be enabled.
> show configuration merged | match log-level
- Look for entries with the string 'log-level':
- If no entries are found (output is empty) or all entries show 'log-level none;', your configuration is not vulnerable, and no workaround is needed.
- If any entries show values other than 'log-level none;', your configuration is vulnerable. You should either upgrade PAN-OS or follow the steps in the workaround section.
Severity: HIGH, Suggested Urgency: MODERATE
An attacker sends a malicious packet through the firewall, which processes a malicious packet that triggers this issue.
CVSS-BT:
8.7 /
CVSS-B:
8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:A/AU:N/R:U/V:C/RE:M/U:Amber)
Prisma Access, when only providing access to authenticated end users, processes a malicious packet that triggers this issue.
CVSS-BT:
7.1 /
CVSS-B:
7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:A/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
Solution
This issue is fixed in PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.
Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release.
Prisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case.
In addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.
Additional PAN-OS 11.1 releases with the fix:
- 11.1.2-h16 (available)
- 11.1.3-h13 (available)
- 11.1.4-h7 (available)
- 11.1.5 (available)
- 10.2.8-h19 (available)
- 10.2.9-h19 (available)
- 10.2.10-h12 (available)
- 10.2.11-h10 (available)
- 10.2.12-h4 (available)
- 10.2.13-h2 (available)
- 10.2.14 (ETA: early March)
- 10.1.14-h8 (available)
- 10.1.15 (ETA: end of February)
- 10.2.9-h19 (available)
- 10.2.10-h12 (available)
Workarounds and Mitigations
If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment.
Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama
- Ensure that a DNS Security Configuration is already present in the device's configuration. See the "Required Configuration for Exposure" section for details.
- Within Objects → Security Profiles, determine if you use the predefined Anti-Spyware profiles in your Security Policy. These are named "Default" or "Strict". If you are using the predefined security profiles, clone the predefined Anti-Spyware profile for use as a custom Anti-Spyware profile. After cloning each relevant predefined Anti-Spyware profile, replace them with the cloned custom Anti-Spyware profile or group in your Security Rules (Policies → Security → (security rule) in either Actions → Profiles or Actions → Group).
- For each custom Anti-Spyware profile, navigate to Objects → Security Profiles → Anti-Spyware → (select a custom profile) → DNS Policies → DNS Security.
- Change the Log Severity to "none" for all configured DNS Security categories.
- Commit the changes.
Note 2: Remember to revert the Log Severity settings once the fixes are applied.
NGFW managed by Strata Cloud Manager (SCM)
- Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.
- Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case.
Prisma Access managed by Strata Cloud Manager (SCM)
Until we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case. If you would like to expedite the upgrade, please make a note of that in the support case.
Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:*