Cyber security news for all

More

    Critical Update Issued for PAN-OS DoS Vulnerability — Immediate Action Required

    Palo Alto Networks has revealed a significant vulnerability within its PAN-OS software, capable of inducing a denial-of-service (DoS) state on affected devices, necessitating urgent remediation.

    This flaw, cataloged as CVE-2024-3393 and assigned a CVSS severity score of 8.7, impacts PAN-OS versions 10.X and 11.X, alongside Prisma Access systems operating PAN-OS iterations starting from version 10.2.8 up to those predating 11.2.3. The issue has been rectified in the following versions: PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and subsequent releases.

    “A denial-of-service vulnerability in the DNS Security mechanism within PAN-OS software enables an unauthenticated adversary to transmit malicious data packets through the firewall’s data plane, leading to a system reboot,” the company disclosed in a formal advisory issued on Friday.

    “Should this condition be repeatedly provoked, the firewall transitions into maintenance mode.”

    Palo Alto Networks uncovered this vulnerability during real-world usage scenarios and has acknowledged customer reports of DoS occurrences triggered by firewalls blocking harmful DNS packets that exploit this weakness.

    The scope and prevalence of this exploit remain unclear at present. The Hacker News has reached out to Palo Alto Networks for further insights, and updates will follow if additional information is provided.

    Firewalls utilizing DNS Security logging are specifically at risk due to this vulnerability. The severity diminishes to a CVSS score of 7.1 when access is restricted to authenticated users through Prisma Access.

    Remedial Actions and Maintenance Fixes

    To address this flaw, updates have been incorporated into various widely used maintenance releases, including:

    • PAN-OS 11.1: Versions 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and 11.1.5
    • PAN-OS 10.2: Versions 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, and 10.2.14
    • PAN-OS 10.1: Versions 10.1.14-h8 and 10.1.15
    • Prisma Access-specific versions: PAN-OS 10.2.9-h19 and 10.2.10-h12

    Note: PAN-OS 11.0 is excluded from fixes, as its lifecycle support concluded on November 17, 2024.

    Mitigation Strategies for Unpatched Systems

    For firewalls operating without the latest updates or overseen via Panorama, users may temporarily deactivate DNS Security logging. This can be achieved by configuring the Log Severity setting to “none” across all DNS Security categories under the Anti-Spyware profile settings. Navigate to:
    Objects > Security Profiles > Anti-Spyware > (Choose Profile) > DNS Policies > DNS Security.

    In environments managed through Strata Cloud Manager (SCM), administrators can either apply the aforementioned steps directly to individual devices or coordinate system-wide adjustments via a support request. Prisma Access tenants under SCM administration are similarly advised to open support cases to deactivate logging until their systems are upgraded.

    The swift implementation of these updates is imperative to safeguard against potential exploitation of this vulnerability. Administrators are strongly encouraged to prioritize the recommended fixes to ensure the resilience of their systems.

    Recent Articles

    Related Stories