Palo Alto Networks has disclosed a critical security vulnerability (CVE-2024-3393) affecting their PAN-OS software that allows attackers to trigger denial-of-service conditions through DNS Security features. The actively exploited flaw carries a CVSS score of 8.7 and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Impact and Scope:
- Affects PAN-OS versions 10.X and 11.X
- Impacts Prisma Access running specific PAN-OS versions
- Only affects firewalls with DNS Security logging enabled
- Can cause firewall reboots and trigger maintenance mode
- Severity reduces to 7.1 for authenticated Prisma Access users
Mitigation Options:
- Update to patched versions:
- PAN-OS 10.1.14-h8
- PAN-OS 10.2.10-h12
- PAN-OS 11.1.5
- PAN-OS 11.2.3 or later
- Temporary workarounds:
- Disable DNS Security logging
- Set Log Severity to “none” for DNS Security categories
- Contact support for SCM-managed systems
Federal agencies must apply patches by January 20, 2025. Palo Alto Networks discovered the vulnerability through production use and has confirmed active exploitation in the wild.
Read the full security advisory from Palo Alto:
https://security.paloaltonetworks.com/CVE-2024-3393