The Cybersecurity and Infrastructure Security Agency (CISA) has recently enhanced its Known Exploited Vulnerabilities (KEV) Catalog by incorporating a new vulnerability discovered in Palo Alto Networks’ PAN-OS versions. This latest addition signifies active exploitation, posing a critical threat to federal enterprises and other entities.
The vulnerability, designated as CVE-2024-3393, is categorized as a Denial of Service (DoS) flaw within the DNS Security feature of PAN-OS. This flaw could potentially enable unauthenticated assailants to disrupt firewall functions, leading to repeated reboots and potential entry into maintenance mode if the assault persists.
The vulnerability stems from the way PAN-OS handles malformed DNS packets. When a maliciously crafted packet traverses the firewall’s data plane, it triggers a failure that necessitates system rebooting. Repeated exploitation of this vulnerability could render the firewall inoperable, thereby jeopardizing network security, especially for organizations employing PA-Series, VM-Series, CN-Series firewalls, or Prisma Access solutions. This vulnerability affects specific PAN-OS versions with DNS Security or Advanced DNS Security licenses enabled and DNS Security logging activated.
The impacted PAN-OS versions include:
– PAN-OS 11.2: Versions below 11.2.3
– PAN-OS 11.1: Versions below 11.1.5
– PAN-OS 10.2: Versions between 10.2.8 and 10.2.14
– PAN-OS 10.1: Versions between 10.1.14 and 10.1.15
However, older PAN-OS versions like 9.1 and 10.0, along with Panorama M-Series and Panorama virtual appliances, remain unaffected by this vulnerability.
The severity of this vulnerability is rated as High with a CVSS score of 8.7 for unauthenticated scenarios. Instances of active exploitation have been confirmed by Palo Alto Networks, where customers reported firewall disruptions triggered by malicious DNS packets exploiting the vulnerability.
Palo Alto Networks has taken steps to address the issue by releasing patches. Organizations that cannot immediately upgrade are advised to implement temporary workarounds, including security profile adjustments, tuning DNS Security settings, and regularly monitoring firewall behavior for anomalies.
To completely mitigate the vulnerability, affected systems should upgrade to fixed PAN-OS versions provided by Palo Alto Networks. By upgrading to the latest versions, organizations can bolster their defenses against potential exploitation and maintain the security and integrity of their networks.
This vulnerability underscores the persistent challenges faced in safeguarding critical systems against advanced cyber threats. The proactive approach of CISA in including such vulnerabilities in the KEV Catalog emphasizes the necessity for timely updates and robust security measures to combat evolving risks.
In conclusion, organizations utilizing Palo Alto Networks’ solutions must act promptly to neutralize this vulnerability to uphold network security and operational stability. By leveraging best security practices and remaining informed about emerging threats, businesses can fortify their networks and enhance resilience against escalating cyber risks.