You are currently viewing Palo Alto PAN-OS Severe Vulnerability (CVE-2024-3393) Exploited

Palo Alto PAN-OS Severe Vulnerability (CVE-2024-3393) Exploited

  • Post author:
  • Reading time:4 mins read

Palo Alto announced a critical security vulnerability affecting its PAN-OS software. PAN-OS is the operating system developed by Palo Alto Networks for its network security devices, which is used to provide advanced security features.
The vulnerability tracked as CVE-2024-3393 can cause a denial of services (DoS) condition on susceptible devices.

Understanding the Vulnerability

Rated as High, CVE-2024-3393 has a CVSS Score of 8.7. This vulnerability impacts PAN-OS versions 10.X and 11.X, as well as Prisma Access running PAN-OS versions 10.2.8 and later or prior to 11.2.3. It has been addressed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions. The severity of the flaw drops to a CVSS score of 7.1 when access is only provided to authenticated end users via Prisma Access.

According to the company advisory, “A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall.
Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.”


On December 30, 2024, the high-severity security flaw impacting Palo Alto Networks PAN-OS software has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by January 20, 2025.

Solutions for the Vulnerability

Palo Alto have extended fixes in their commonly deployed maintenance releases-

  1. PAN-OS 11.1 (11.1.2-h16, 11.1.3-h13, 11.1.4-h7, and 11.1.5)
  2. PAN-OS 10.2 (10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, and 10.2.14)
  3. PAN-OS 10.1 (10.1.14-h8 and 10.1.15)
  4. PAN-OS 10.2.9-h19 and 10.2.10-h12 (only applicable to Prisma Access)
  5. PAN-OS 11.0 (No fix owing to it reaching end-of-life status on November 17, 2024)

Workarounds for the Vulnerability

To address issues with unmanaged firewalls or those managed by Panorama, customers can disable DNS Security logging by setting the Log Severity to “none” for all DNS Security categories in each Anti-Spyware profile. This can be done by navigating to Objects > Security Profiles > Anti-Spyware > (select a profile) > DNS Policies > DNS Security.

For firewalls managed via Strata Cloud Manager (SCM), users can either apply the same steps directly on individual devices or disable DNS Security logging across all devices by opening a support case. Similarly, for Prisma Access tenants managed through SCM, it is recommended to submit a support case to disable logging until the system is upgraded.

Instantly Fix Risks with SanerNow Patch Management

SanerNow Patch Management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.