Cyber Crime
Why Palo Alto Network Firewalls is easy target for hackers ?
Palo Alto Networks has issued a critical warning about active exploitation of a denial-of-service (DoS) vulnerability, tracked as CVE-2024-3393, that could allow attackers to disrupt firewall operations. The flaw is being weaponized to force firewalls into a reboot cycle, effectively disabling their protections.
Repeated exploitation of this vulnerability can push the device into maintenance mode, necessitating manual intervention to restore normal operations. The vulnerability stems from the DNS Security feature in the PAN-OS software, as outlined in the advisory:
“A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall.”
Active Exploitation in the Wild
The company has confirmed that the flaw is actively being exploited, enabling unauthenticated attackers to send specially crafted malicious packets to vulnerable devices. The attacks specifically target devices where DNS Security logging is enabled. Customers have reported outages caused by firewalls blocking malicious DNS packets related to this exploit.
ALSO READ : Honoring Excellence in Cyber Forensics and OSINT Innovation – [Nominations for FCRF Excellence Awards]
Affected Versions and Patches
The vulnerability impacts specific versions of the PAN-OS software. Palo Alto Networks has released patches in the following versions:
- PAN-OS 10.1.14-h8
- PAN-OS 10.2.10-h12
- PAN-OS 11.1.5
- PAN-OS 11.2.3 and subsequent releases
However, PAN-OS 11.0, also affected by the flaw, will not receive a fix as it reached its end-of-life on November 17.
Mitigation Steps
For users unable to immediately apply the patches, Palo Alto Networks has provided workarounds to mitigate the risk:
- For Unmanaged NGFWs or Prisma Access Managed by Panorama:
- Navigate to:
Objects → Security Profiles → Anti-spyware → DNS Policies → DNS Security for each Anti-spyware profile. - Set “Log Severity” to “none” for all DNS Security categories.
- Commit changes and revert settings after applying patches.
- Navigate to:
ALSO READ: Excellence Awards Honoring Fraud Risk Management Professionals – [Nominate for Fraud Risk Award]
- For NGFWs Managed by Strata Cloud Manager (SCM):
- Option 1: Disable DNS Security logging directly on each NGFW.
- Option 2: Open a support case to disable DNS Security logging across all NGFWs in the tenant.
- For Prisma Access Managed by SCM:
- Open a support case to disable DNS Security logging tenant-wide.
- If necessary, request expedited tenant upgrades in the support case.
Palo Alto Networks strongly advises customers to implement these workarounds and prioritize upgrading to secure versions of PAN-OS to mitigate potential risks.
