Published: 27/12/2024 Updated: 14/01/2025

Denial of Service in Palo Alto Networks PAN-OS DNS Security

There is a Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software. An attacker, without needing any login, can send a harmful packet through the firewall's data plane. This action makes the firewall reboot. If done repeatedly, the firewall will go into maintenance mode.

This issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.

Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release.

Prisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case https://support.paloaltonetworks.com/Support/Index .

In addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.

Additional PAN-OS 11.1 fixes:

* 11.1.2-h16
* 11.1.3-h13
* 11.1.4-h7
* 11.1.5

Additional PAN-OS 10.2 fixes:

* 10.2.8-h19
* 10.2.9-h19
* 10.2.10-h12
* 10.2.11-h10
* 10.2.12-h4
* 10.2.13-h2
* 10.2.14

Additional PAN-OS 10.1 fixes:

* 10.1.14-h8
* 10.1.15

Additional PAN-OS fixes only applicable to Prisma Access:

* 10.2.9-h19
* 10.2.10-h12

Vulnerable Product	Search on Vulmon	Subscribe to Product
paloaltonetworks pan-os 11.2.2
paloaltonetworks pan-os 11.2.1
paloaltonetworks pan-os 11.2.0
paloaltonetworks pan-os 11.2
paloaltonetworks pan-os 11.1.4
paloaltonetworks pan-os 11.1.3
paloaltonetworks pan-os 11.1.2
paloaltonetworks pan-os 11.1.1
paloaltonetworks pan-os 11.1.0
paloaltonetworks pan-os 11.1
paloaltonetworks pan-os 10.2.10
paloaltonetworks pan-os 10.2.9
paloaltonetworks pan-os 10.2.8
paloaltonetworks pan-os 10.2
paloaltonetworks pan-os 10.1.14
paloaltonetworks pan-os 10.1
palo alto networks cloud ngfw
palo alto networks pan-os
paloaltonetworks pan-os
paloaltonetworks pan-os 10.2.11
paloaltonetworks pan-os 10.2.12
paloaltonetworks pan-os 10.2.13
paloaltonetworks prisma access -

Hackers exploit DoS flaw to disable Palo Alto Networks firewalls

BleepingComputer • Bill Toulas • 27 Dec 2024

Hackers exploit DoS flaw to disable Palo Alto Networks firewalls By Bill Toulas December 27, 2024 11:33 AM 0 Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot. Leveraging the security issue repeatedly, however, causes the device to enter maintenance mode and manual intervention is required to restore it to normal operations. "A Denial of Service vulnerability in the DNS Security...

CVE-2024-3393

Vulnerability Summary

Solution

Vulnerability Trend

Recent Articles

References

Vulmon Search

About

Products

Connect