securityadvisories.paloaltonetworks.com
Open in
urlscan Pro
34.71.120.0
Public Scan
URL:
https://securityadvisories.paloaltonetworks.com/CVE-2024-3386
Submission: On April 16 via api from IN — Scanned from DE
Submission: On April 16 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Get support * Security advisories * Report vulnerabilities * Subscribe * RSS feed Palo Alto Networks Security Advisories / CVE-2024-3386 CVE-2024-3386 PAN-OS: PREDEFINED DECRYPTION EXCLUSIONS DOES NOT WORK AS INTENDED 047910 Severity 6.9 · MEDIUM Urgency MODERATE Response Effort LOW Recovery AUTOMATIC Value Density DIFFUSE Attack Vector NETWORK Attack Complexity LOW Attack Requirements NONE Automatable YES User Interaction NONE Product Confidentiality NONE Product Integrity LOW Product Availability NONE Privileges Required NONE Subsequent Confidentiality NONE Subsequent Integrity NONE Subsequent Availability NONE NVD JSON Published 2024-04-10 Updated 2024-04-10 Reference PAN-208155 Discovered externally DESCRIPTION An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption. PRODUCT STATUS VersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0< 11.0.1-h2, < 11.0.2>= 11.0.1-h2, >= 11.0.2PAN-OS 10.2< 10.2.4-h2, < 10.2.5>= 10.2.4-h2, >= 10.2.5PAN-OS 10.1< 10.1.9-h3, < 10.1.10>= 10.1.9-h3, >= 10.1.10PAN-OS 10.0< 10.0.13>= 10.0.13PAN-OS 9.1< 9.1.17>= 9.1.17PAN-OS 9.0< 9.0.17-h2>= 9.0.17-h2Prisma Access NoneAll REQUIRED CONFIGURATION FOR EXPOSURE You must configure Predefined Decryption Exclusions on your PAN-OS firewalls. You should check to see whether you have any configured exclusions in your firewall web interface (Device > Certificate Management > SSL Decryption Exclusions). SEVERITY: MEDIUM CVSSv4.0 Base Score: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber) EXPLOITATION STATUS Palo Alto Networks is not aware of any malicious exploitation of this issue. WEAKNESS TYPE CWE-436 Interpretation Conflict SOLUTION This issue is fixed in 9.0.17-h2, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h3, 10.1.10, 10.2.4-h2, 10.2.5, 11.0.1-h2, 11.0.2, and all later PAN-OS versions. ACKNOWLEDGMENTS Palo Alto Networks thanks Frederic De Vlieger for discovering and reporting this issue. TIMELINE 2024-04-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions © 2024 Palo Alto Networks, Inc. All rights reserved.