CVE-2024-3393
Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability
Severity Score
8.7
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
3
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
Act
*SSVC
Descriptions
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
Palo Alto Networks PAN-OS contains a vulnerability in parsing and logging malicious DNS packets in the DNS Security feature that, when exploited, allows an unauthenticated attacker to remotely reboot the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
*Credits:
Palo Alto Networks thanks the CERT-EE team for their extra effort in providing invaluable forensic and analytic assistance.
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Act
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-04-05 CVE Reserved
- 2024-12-27 CVE Published
- 2024-12-30 CVE Updated
- 2024-12-30 Exploited in Wild
- 2025-01-04 First Exploit
- 2025-01-15 EPSS Updated
- 2025-01-20 KEV Due Date
CWE
- CWE-754: Improper Check for Unusual or Exceptional Conditions
CAPEC
- CAPEC-540: Overread Buffers
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/188673 | 2025-01-14 | |
| https://github.com/FelixFoxf/-CVE-2024-3393 | 2025-01-04 | |
| https://github.com/waived/CVE-2024-3393 | 2025-01-09 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.paloaltonetworks.com/CVE-2024-3393 | 2024-12-27 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Palo Alto Networks Search vendor "Palo Alto Networks" | PAN-OS Search vendor "Palo Alto Networks" for product "PAN-OS" | >= 11.2.0 < 11.2.3 Search vendor "Palo Alto Networks" for product "PAN-OS" and version " >= 11.2.0 < 11.2.3" | en |
Affected
| ||||||
| Palo Alto Networks Search vendor "Palo Alto Networks" | PAN-OS Search vendor "Palo Alto Networks" for product "PAN-OS" | >= 11.2.0 < 11.2.3 Search vendor "Palo Alto Networks" for product "PAN-OS" and version " >= 11.2.0 < 11.2.3" | en |
Affected
| ||||||