securityadvisories.paloaltonetworks.com Open in urlscan Pro
34.71.120.0  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Get support
 * Security advisories
 * Report vulnerabilities
 * Subscribe
 * RSS feed

Palo Alto Networks Security Advisories / CVE-2024-3385


CVE-2024-3385 PAN-OS: FIREWALL DENIAL OF SERVICE (DOS) WHEN GTP SECURITY IS
DISABLED

047910
Severity 8.2 · HIGH
Urgency MODERATE
Response Effort LOW
Recovery USER
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements PRESENT
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
NVD JSON
Published 2024-04-10
Updated 2024-04-10
Reference PAN-221224
Discovered externally


DESCRIPTION

A packet processing mechanism in Palo Alto Networks PAN-OS software enables a
remote attacker to reboot hardware-based firewalls. Repeated attacks eventually
cause the firewall to enter maintenance mode, which requires manual intervention
to bring the firewall back online.

This affects the following hardware firewall models:

- PA-5400 Series firewalls

- PA-7000 Series firewalls


PRODUCT STATUS

VersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0<
11.0.3>= 11.0.3PAN-OS 10.2< 10.2.8>= 10.2.8PAN-OS 10.1< 10.1.12>= 10.1.12PAN-OS
9.1< 9.1.17>= 9.1.17PAN-OS 9.0< 9.0.17-h4>= 9.0.17-h4Prisma Access NoneAll


REQUIRED CONFIGURATION FOR EXPOSURE

This does not affect VM-Series firewalls, CN-Series firewalls, Cloud NGFWs, or
Prisma Access.

This issue affects only PAN-OS configurations with GTP Security disabled; it
does not affect PAN-OS configurations that have GTP Security enabled. You should
verify whether GTP Security is disabled by checking your firewall web interface
(Device > Setup > Management > General Settings) and take the appropriate
actions as needed.


SEVERITY: HIGH

CVSSv4.0 Base Score: 8.2
(CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber)


EXPLOITATION STATUS

Palo Alto Networks is not aware of any malicious exploitation of this issue.
This was encountered by two customers in normal production usage.


WEAKNESS TYPE

CWE-20 Improper Input Validation

CWE-476: NULL Pointer Dereference


SOLUTION

This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS
10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.


WORKAROUNDS AND MITIGATIONS

Customers with a Threat Prevention subscription can block attacks for this
vulnerability by enabling Threat ID 94993 (introduced in Applications and
Threats content version 8832).


ACKNOWLEDGMENTS

Palo Alto Networks thanks an external reporter for discovering and reporting
this issue.


TIMELINE

2024-04-10 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.