CISA Adds CVE-2024-3393 to Vulnerabilities Catalog: Palo Alto Networks PAN-OS DNS Packet Flaw Threatens Firewalls 

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-3393, a Palo Alto Networks PAN-OS Malformed DNS Packet vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability impacts the DNS Security feature of PAN-OS, which powers firewalls and security solutions. The vulnerability allows attackers to exploit the system through specially crafted DNS packets, leading to a denial-of-service (DoS) condition, affecting the availability of essential firewall services. 

On December 27, 2024, Palo Alto Networks reported a Denial of Service (DoS) vulnerability in the DNS Security feature of PAN-OS, specifically linked to the malformed DNS packet handling process. This issue, now documented as CVE-2024-3393, has been added to the CISA’s Known Exploited Vulnerabilities Catalog.  

The threat presented by CVE-2024-3393 PAN-OS is particularly alarming for organizations relying on DNS Security for protection, as attackers can exploit this flaw to send malicious DNS packets that cause the affected firewall to reboot. Repeated attempts can cause the firewall to enter maintenance mode, severely disrupting services. With the increasing reliance on firewalls to secure critical infrastructure, this vulnerability poses an urgent risk to many organizations globally. 

Technical Analysis of CVE-2024-3393 PAN-OS 

CVE-2024-3393 affects PAN-OS versions on PA-Series, VM-Series, CN-Series firewalls, and Prisma Access deployments. The vulnerability arises when DNS Security logging is enabled with a valid DNS Security or Advanced DNS Security license. When exploited, this vulnerability could allow unauthenticated attackers to send a specially crafted DNS packet through the firewall’s data plane, causing a reboot. Continuous exploitation could force the firewall into maintenance mode, leading to prolonged service disruption. 

The CVSS score for this vulnerability is 8.7, indicating a high-severity risk. The exploit maturity is classified as attacked, meaning that attackers are actively exploiting the vulnerability. It is worth noting that CVE-2024-3393 PAN-OS does not affect all PAN-OS versions. Specific versions are vulnerable, including PAN-OS 11.1, 10.2, and 10.1, depending on the release, while PAN-OS 9.1 and PAN-OS 11.0 have reached their end of life (EOL) and are no longer receiving patches. 

For this issue to be successfully exploited, two primary conditions must be met: 

1. A DNS Security License (either standard or advanced) must be applied. 
2. DNS Security logging must be enabled on the system. 

This configuration creates an avenue for attackers to initiate the DoS attack by sending malicious DNS packets that the firewall fails to handle appropriately. 

Global Exposure and Implications 

Cyble Research & Intelligence Labs reported a number of exposed PAN-OS instances, many of which belong to critical infrastructure sectors. As of recent scans, over 3,300 instances were detected with vulnerable PAN-OS versions. Many of these exposed assets belong to organizations in vital sectors such as healthcare, energy, and telecommunications, industries that play an essential role in national security, public health, and economic stability. 

The vulnerability presents a dual threat: first, the direct impact of the DoS attack on network availability, and second, the potential for reflected amplification-based denial-of-service (RDoS) attacks, where attackers can obfuscate their identities by exploiting these vulnerable systems. The risk is not just to individual organizations but to entire regions and industries that depend on uninterrupted access to critical services. 

Mitigation and Countermeasures: Securing PAN-OS Deployments 

To address the growing risk posed by CVE-2024-3393, here are some of the recommended several actions to mitigate the impact of this vulnerability: 

1. Organizations should ensure they are running the latest version of PAN-OS, as security updates have been released for PAN-OS 10.1.15, PAN-OS 10.2.14, and PAN-OS 11.1.5. These versions fix the DNS packet vulnerability. 
2. For organizations unable to immediately upgrade their systems, workarounds are available. These include disabling DNS Security logging or adjusting the logging severity to reduce the risk of exploitation. 
3. Implementing proper network segmentation to limit the exposure of critical assets to the public internet is crucial in minimizing attack vectors. 
4. Limiting access to remote services through VPNs and ensuring strict access policies can help mitigate the potential for external attackers to exploit the vulnerability. 
5. Review and configure DNS Security settings to ensure logging is not excessively detailed, reducing the chance of triggering the DoS condition. 

Conclusion  

While DNS Security is designed to protect against DNS infrastructure threats, this vulnerability exposes systems to DoS attacks, which can result in prolonged outages and potential data breaches.Organizations must prioritize strengthening their DNS Security practices, actively monitor DNS traffic, and keep configurations up-to-date to mitigate the risk posed by such vulnerabilities.  

With the increasing sophistication of cyberattacks targeting systems like PAN-OS, timely patching, effective workarounds, and limiting external exposure are essential to securing firewalls and critical infrastructure. A proactive, comprehensive approach to cybersecurity—coupled with industry collaboration—will be key to preventing exploitation and maintaining a secure digital ecosystem. 

References 

• https://www.cisa.gov/news-events/alerts/2024/12/30/cisa-adds-one-known-exploited-vulnerability-catalog 

• https://www.cve.org/CVERecord?id=CVE-2024-3393 

• https://security.paloaltonetworks.com/CVE-2024-3393 

The post CISA Adds CVE-2024-3393 to Vulnerabilities Catalog: Palo Alto Networks PAN-OS DNS Packet Flaw Threatens Firewalls  appeared first on Cyble.

Blog – Cyble – ​Read More