cbcvebase.
CVE-2024-3393
published 2024-12-27

CVE-2024-3393: A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-01-20
Exploited in the wild
EPSS
26.64%
97.8th percentile
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Affected

18 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.1.14 < 10.1.14-h810.1.14-h8
palo_alto_networkspan-os>= 10.2.8 < 10.2.8-h1910.2.8-h19
palo_alto_networkspan-os>= 11.1.0 < 11.1.2-h1611.1.2-h16
palo_alto_networkspan-os>= 11.2.0 < 11.2.311.2.3
paloaltocloud_ngfw
paloaltopan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os11.1.0 – 11.1.1
paloaltonetworkspan-os>= 11.2.0 < 11.2.311.2.3

Detection & IOCsextracted from sources · hover to see the quote

othermalicious packet through the data plane targeting DNS Security logging
  • CVE-2024-3393 is only exploitable on devices where DNS Security logging is enabled. Confirm DNS Security logging is active before triaging alerts.
  • Exploitation is confirmed active in the wild; customers experienced outages when their firewall blocked malicious DNS packets from attackers leveraging the issue.
  • Repeated exploitation causes the firewall to enter maintenance mode — unexpected maintenance mode on a PAN-OS device should be treated as a potential exploitation indicator.
  • Affected platforms include PA-Series, VM-Series, and CN-Series firewalls as well as Prisma Access — scope detection and monitoring to all three hardware/virtual form factors.
  • The attack vector is the data plane (not the management plane), meaning malicious packets arrive via normal traffic interfaces — monitor data-plane traffic for anomalous DNS packets causing process crashes or reboots.
  • Workaround detection signal: if DNS Security Log Severity is set to 'none' across all Anti-spyware profiles in an environment that previously had it configured, this may indicate an operator applied the CVE-2024-3393 mitigation — useful for asset/config auditing.
  • Vulnerability is in the parsing and logging of malicious DNS packets in the DNS Security feature — focus packet inspection on DNS traffic directed at affected PAN-OS devices with DNS Security enabled.
  • ·CVE-2024-3393 only affects devices with DNS Security logging enabled. Devices without this feature configured are not exposed.
  • ·PAN-OS 11.0 is end-of-life (EOL as of November 17, 2024) and will NOT receive a patch for this CVE — devices on 11.0 must be upgraded to a supported version.
  • ·Fixed versions are PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3 (and later). Devices not yet on these versions remain vulnerable.
  • ·Prisma Access customers using DNS Security with affected PAN-OS versions must apply workarounds or open a support case for expedited upgrade; most cloud-based instances have already been patched.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
vulncheck8.7HIGH
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.