Executive Summary

As of October 2023, a critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto Networks PAN-OS software. This Denial of Service (DoS) vulnerability allows unauthenticated attackers to send specially crafted packets through the firewall's data plane, causing it to reboot. Repeated exploitation can lead the firewall to enter maintenance mode, severely disrupting network security operations. This vulnerability is actively being exploited in the wild, posing a significant risk to organizations relying on affected PAN-OS versions.

Technical Information

CVE-2024-3393 is a Denial of Service (DoS) vulnerability that affects the DNS Security feature of Palo Alto Networks PAN-OS software. The vulnerability arises from the improper handling of DNS packets, which can be exploited by an attacker to cause a firewall to reboot. The attack vector is through the data plane, where an unauthenticated attacker can send a specially crafted packet that triggers the DoS condition. This vulnerability is particularly concerning because it does not require authentication, making it easier for attackers to exploit.

The affected products include PA-Series firewalls, VM-Series firewalls, CN-Series firewalls, and Prisma Access. The vulnerable versions are PAN-OS 11.2 versions prior to 11.2.3, PAN-OS 11.1 versions prior to 11.1.5, PAN-OS 10.2 versions from 10.2.8 to 10.2.13, and PAN-OS 10.1 versions from 10.1.14 to 10.1.14. The vulnerability has been assigned a CVSS score of 7.5, indicating a high severity level.

The exploitation of this vulnerability can lead to significant operational disruptions. When the firewall reboots, it temporarily ceases to perform its security functions, leaving the network vulnerable to other attacks. If the firewall enters maintenance mode due to repeated exploitation, it can result in prolonged downtime and require manual intervention to restore normal operations.

Exploitation in the Wild

There have been confirmed reports of CVE-2024-3393 being exploited in the wild. Attackers are actively sending malicious DNS packets to trigger the DoS condition. The exploitation has been observed in various sectors, including finance, healthcare, and government, across multiple countries. Indicators of Compromise (IOCs) include unusual DNS traffic patterns and unexpected firewall reboots.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting CVE-2024-3393 have not been publicly identified, the nature of the vulnerability makes it an attractive target for APT groups seeking to disrupt critical infrastructure. Organizations in sectors such as finance, healthcare, and government should be particularly vigilant.

Affected Product Versions

The affected product versions are as follows: PAN-OS 11.2 versions prior to 11.2.3, PAN-OS 11.1 versions prior to 11.1.5, PAN-OS 10.2 versions from 10.2.8 to 10.2.13, and PAN-OS 10.1 versions from 10.1.14 to 10.1.14. These versions are used in PA-Series firewalls, VM-Series firewalls, CN-Series firewalls, and Prisma Access.

Workaround and Mitigation

To mitigate the risk of exploitation, organizations should upgrade to the fixed PAN-OS versions: 10.1.15, 10.2.14, 11.1.5, and 11.2.3. If immediate upgrades are not possible, the following workarounds can be applied: clone predefined Anti-Spyware profiles and disable DNS Security logging, and for NGFW managed by Strata Cloud Manager, disable DNS Security logging across all NGFWs by opening a support case with Palo Alto Networks.

References

For more detailed information, please refer to the following resources: Palo Alto Networks Security Advisory on CVE-2024-3393 at https://security.paloaltonetworks.com/CVE-2024-3393, National Vulnerability Database entry at https://nvd.nist.gov/vuln/detail/CVE-2024-3393, and CISA Alert at https://cyble.com/blog/cisa-adds-cve-2024-3393-to-kev-catalog/.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complexities of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and vulnerability management. We are here to support you in mitigating this and other cybersecurity threats. For further assistance, please contact us at ops@rescana.com.