Ce mail provient de l'extérieur, restons vigilants ====================================================================== CERT-Renater Note d'Information No. 2024/VULN561 _____________________________________________________________________ DATE : 27/12/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PAN-OS versions prior to 11.2.3, 11.1.5, 10.2.8, 10.2.10-h12, 10.2.13-h2 (ETA: Dec 31), 10.1.14, 10.1.14-h8, Prisma Access versions prior to 0.2.8 on PAN-OS, 11.2.3 on PAN-OS. ===================================================================== https://security.paloaltonetworks.com/CVE-2024-3393 _____________________________________________________________________ CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet Urgency MODERATE 047910 Severity 8.7 · HIGH Exploit Maturity ATTACKED Response Effort MODERATE Recovery USER Value Density CONCENTRATED Attack Vector NETWORK Attack Complexity LOW Attack Requirements NONE Automatable NO User Interaction NONE Product Confidentiality NONE Product Integrity NONE Product Availability HIGH Privileges Required NONE Subsequent Confidentiality NONE Subsequent Integrity NONE Subsequent Availability LOW CVE JSON CSAF Published 2024-12-27 Updated 2024-12-27 Reference PAN-259351, PAN-219034 Discovered in production use Description A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. Product Status Versions Affected Unaffected Cloud NGFW None All PAN-OS 11.2 < 11.2.3 >= 11.2.3 PAN-OS 11.1 < 11.1.5 >= 11.1.5 PAN-OS 10.2 >= 10.2.8 < 10.2.10-h12 < 10.2.13-h2 < 10.2.8 >= 10.2.10-h12 >= 10.2.13-h2 (ETA: Dec 31) PAN-OS 10.1 >= 10.1.14 < 10.1.14-h8 < 10.1.14 >= 10.1.14-h8 Prisma Access >= 10.2.8 on PAN-OS < 11.2.3 on PAN-OS < 10.2.8 on PAN-OS >= 11.2.3 on PAN-OS See the Solution section for additional fixes to commonly deployed maintenance releases. Required Configuration for Exposure DNS Security logging must be enabled for this issue to affect PAN-OS software. Severity: HIGH, Suggested Urgency: MODERATE An attacker sends a malicious packet through the firewall, which processes a malicious packet that triggers this issue. CVSS-BT: 8.7 / CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:A/AU:N/R:U/V:C/RE:M/U:Amber) Prisma Access, when only providing access to authenticated end users, processes a malicious packet that triggers this issue. CVSS-BT: 7.1 / CVSS-B: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:A/AU:N/R:U/V:C/RE:M/U:Amber) Exploitation Status Palo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue. Weakness Type and Impact CWE-754 Improper Check for Unusual or Exceptional Conditions CAPEC-540 Overread Buffers Solution This issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions. Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release. Prisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a support case. In addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases. Additional PAN-OS 11.1 fixes: 11.1.2-h16 11.1.3-h13 11.1.4-h7 11.1.5 Additional PAN-OS 10.2 fixes: 10.2.8-h19 10.2.9-h19 10.2.10-h12 10.2.11-h10 10.2.12-h4 10.2.13-h2 10.2.14 Additional PAN-OS 10.1 fixes: 10.1.14-h8 10.1.15 Additional PAN-OS fixes only applicable to Prisma Access: 10.2.9-h19 10.2.10-h12 Workarounds and Mitigations If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment. Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama For each Anti-spyware profile, navigate to Objects → Security Profiles → Anti-spyware → (select a profile) → DNS Policies → DNS Security. Change the Log Severity to "none" for all configured DNS Security categories. Commit the changes. Remember to revert the Log Severity settings once the fixes are applied. NGFW managed by Strata Cloud Manager (SCM) You can choose one of the following mitigation options: Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above. Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case. Prisma Access managed by Strata Cloud Manager (SCM) Until we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case. If you would like to expedite the upgrade, please make a note of that in the support case. CPEs cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h2:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:h1:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h9:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h8:*:*:*:*:*:* cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h7:*:*:*:*:*:* Timeline 2024-12-27 Initial publication ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================