Attackers can send Palo Alto firewalls into maintenance mode

Attackers can use a vulnerability in various PAN OS versions to restart firewalls. Versions equipped against this are available for download.

Security gap closed

According to a warning message, firewalls from the CN, PA, Prisma Access and VM series are at risk. Panorama is not affected. The vulnerability (CVE-2024-3393"high") is located in the DNS security feature. Attackers can exploit this without authentication by sending prepared packets to vulnerable instances. The result is reboots. Repeated attacks should lead to firewalls starting up in maintenance mode.

However, devices are only vulnerable if DNS security logging is active and a DNS security license or Advanced DNS Security License is stored. The developers state that they have secured the following PAN-OS releases against this:

• 10.1.14
• 10.1.15
• 10.2.8
• 10.2.14
• 11.1.5
• 11.2.3

All previous versions should be vulnerable. Further information on security fixes is explained in the warning message. The developers point out that support for PAN-OS 11.0 expired on November 17, 2024 and that this version will no longer receive security patches. At this point, admins will need to upgrade in order to secure their firewalls. PAN-OS 9.1 and 10.0 are not affected by the security problem.

If it is not possible to install a security patch immediately, admins can use a workaround to protect their networks. Palo Alto explains how this works in the warning message.

It is not yet known whether there are already attacks and by which parameters admins can recognize successfully attacked systems.

(des)