Home

Description

A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

PUBLISHED Reserved 2024-04-05 | Published 2024-12-27 | Updated 2025-10-21 | Assigner palo_alto




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:U/V:C/RE:M/U:Amber

An attacker sends a malicious packet through the firewall, which processes a malicious packet that triggers this issue.

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:U/V:C/RE:M/U:Amber

Prisma Access, when only providing access to authenticated end users, processes a malicious packet that triggers this issue.

CISA Known Exploited Vulnerability

Date added 2024-12-30 | Due date 2025-01-20

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-754 Improper Check for Unusual or Exceptional Conditions

Product status

Default status
unaffected

All
unaffected

Default status
unaffected

11.2.0 (custom) before 11.2.3
affected

11.1.0 (custom) before 11.1.2-h16
affected

10.2.8 (custom) before 10.2.8-h19
affected

10.1.14 (custom) before 10.1.14-h8
affected

Default status
unaffected

10.2.0 (custom) before 10.2.8
unaffected

11.2.0 (custom) before 11.2.3
affected

Timeline

2024-12-27:Initial publication

Credits

Palo Alto Networks thanks the CERT-EE team for their extra effort in providing invaluable forensic and analytic assistance. reporter

References

www.cisa.gov/...nerabilities-catalog?field_cve=CVE-2024-3393 government-resource

security.paloaltonetworks.com/CVE-2024-3393 vendor-advisory

cve.org (CVE-2024-3393)

nvd.nist.gov (CVE-2024-3393)

Download JSON