CVE-2024-3386 PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended
An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.
Versions | Affected | Unaffected |
---|---|---|
Cloud NGFW | None | All |
PAN-OS 11.1 | None | All |
PAN-OS 11.0 | < 11.0.1-h4, < 11.0.2 | >= 11.0.1-h4, >= 11.0.2 |
PAN-OS 10.2 | < 10.2.4-h4, < 10.2.5 | >= 10.2.4-h4, >= 10.2.5 |
PAN-OS 10.1 | < 10.1.9-h4, < 10.1.10 | >= 10.1.9-h4, >= 10.1.10 |
PAN-OS 10.0 | < 10.0.13 | >= 10.0.13 |
PAN-OS 9.1 | < 9.1.17 | >= 9.1.17 |
PAN-OS 9.0 | < 9.0.17-h4 | >= 9.0.17-h4 |
Prisma Access | None | All |
You must configure Predefined Decryption Exclusions on your PAN-OS firewalls. You should check to see whether you have any configured exclusions in your firewall web interface (Device > Certificate Management > SSL Decryption Exclusions).
CVSSv4.0 Base Score: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
CWE-436 Interpretation Conflict
This issue is fixed in 9.0.17-h4, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h4, 10.1.10, 10.2.4-h4, 10.2.5, 11.0.1-h4, 11.0.2, and all later PAN-OS versions.