Palo Alto Networks on Dec. 26 released a patch for a denial-of-service (DoS) flaw in the DNS security feature of the company’s PAN-OS firewall software.
The high-severity 8.7 bug — CVE-2024-3393 — lets an unauthenticated attacker send a malicious packet through the data plane of the firewall that actually reboots the device.
Palo Alto said repeated attempts to trigger this condition will cause the firewall to enter maintenance mode, requiring manual intervention on the part of the security team.
The company said it’s aware of customers experiencing a DoS when their firewall repeatedly blocks malicious DNS packets that trigger the issue.
According to Palo Alto, the flaw impacts PAN-OS versions 10.X and 11.X, as well as Prisma Access running PAN-OS versions 10.2.8 and later or prior to 11.2.3. The company has issued patches for PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.
Stephen Kowski, Field CTO at SlashNext Email Security, said the DNS security feature vulnerability in PAN-OS lets attackers potentially disrupt network operations through malicious DNS packets, leading to firewall reboots and maintenance mode that require manual intervention.
Kowski explained while previous PAN-OS issues reported last month focused on authentication bypass or command injection, this new DoS vulnerability specifically targets the DNS inspection mechanism that organizations rely on to detect command-and-control threats, tunneling attempts, and various DNS-based attacks.
“The fact that Palo Alto Networks discovered this in production use suggests active exploitation attempts, making immediate patching crucial for affected organizations,” said Kowski. “Modern security approaches that layer multiple inspection points and employ machine learning to analyze DNS traffic patterns can help organizations maintain protection even when primary security controls are compromised.”
Jason Soroko, senior fellow at Sectigo, added that the vulnerability operates by manipulating the data plane of the firewall. When exploited, the malicious packets trigger the firewall to enter maintenance mode after repeated attempts, effectively causing prolonged service disruptions.
“Palo Alto Networks discovered this flaw during production use and has reported that some customers are already experiencing DoS incidents as their firewalls block these harmful DNS packets,” said Soroko.
