WARNING: THREE HIGH-SEVERITY DENIAL-OF-SERVICE VULNERABILITIES AFFECT PALO ALTO’S PAN-OS
Reference:
Advisory #2024-55
Version:
1.0
Affected software:
Palo Alto PAN-OS versions
< 11.1.2
< 11.0.4
< 11.0.3
< 10.2.8
< 10.2.7-h3
< 10.1.12
< 10.0.12
< 9.1.15-h1
< 9.1.17
< 9.0.17-h4
< 9.0.17
< 8.1.24
Type:
Denial of Service (DoS)
CVE/CVSS:
CVE-2024-3382 :CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-3384 :CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-3385 :CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Date:
17/04/2024
Sources
Risks
Security patches were released to address three high-severity vulnerabilities that are affecting Palo Alto’s PAN-OS.
The vulnerabilities have a low attack complexity, do not require privileges or user interaction and have a HIGH impact on Availability.
Description
CVE-2024-3382: Firewall Denial of Service (DoS) via a Burst of Crafted Packets
A remote attacker can send a burst of crafted packets through the firewall that eventually prevents the firewall from processing traffic.
This issue applies only to PA-5400 Series devices that are running PAN-OS firewall configurations with the SSL Forward Proxy feature enabled.
CVE-2024-3384: Firewall Denial of Service (DoS) via Malformed NTLM Packets
A remote attacker can reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.
This issue affects only PAN-OS configurations with NTLM authentication enabled.
CVE-2024-3385: Firewall Denial of Service (DoS) when GTP Security is Disabled
A remote attacker can reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.
This issue affects only PAN-OS configurations with GTP Security disabled on hardware firewall models PA-5400 and PA-7000.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References