Palo Alto Fixes Exploited Firewall Denial-of-Service Vulnerability

Palo Alto Networks, a leading provider of cybersecurity solutions, is distributing updates to address a critical vulnerability exploited by attackers to crash its firewalls. The flaw resides in the PAN-OS software that operates the company’s hardware, although the cloud-native Next-Generation Firewall (NGFW) remains unaffected.

According to the company’s security advisory, an unauthenticated attacker can send a specially crafted malicious packet through the firewall’s data plane, thereby initiating a denial-of-service condition that forces the device to reboot. Subsequent attempts can place the firewall into maintenance mode, thereby disrupting service entirely. The vulnerability is cataloged as CVE-2024-3393.

Reports of active exploits have surfaced, with discussions emerging on forums such as the Palo Alto Networks Firewall subreddit. One administrator noted that the flaw specifically targets firewalls handling malicious DNS traffic, a function facilitated by the “Advanced DNS Security” feature in Palo Alto’s systems. The company has classified the issue as high-severity, with a cautionary urgency level rated as moderate. The impact of this vulnerability is signified by a CVSS score of 8.7 for firewalls and 7.1 for Prisma Access security edge devices, when access is limited to authenticated users.

Kevin Beaumont, a cybersecurity expert based in the UK, provided insights indicating that the vulnerability not only causes reboots but can fully crash vulnerable devices. He stated that repeatedly executing the exploit can lead to failures in paired firewalls, highlighting the necessity for prompt patching to restore functionality. One affected administrator shared their timeline of issues during the Christmas period, noting unexpected failovers prior to the reboots, and found no causal logs other than a routine update from Palo Alto’s WildFire malware analysis service.

Palo Alto noted that the vulnerability necessitates DNS Security logging to be enabled on the PAN-OS software as part of its Advanced DNS Security offering. The company requires users to possess an active license for this feature, which uses a combination of machine learning and crowdsourced intelligence to counter potential cyber threats. Interestingly, it seems that even those without the license remain vulnerable, urging administrators to implement immediate mitigations or patches.

The company has released patches for various PAN-OS versions, specifically correcting the flaw in updates for versions 10.1.x, 10.2.x, and 11.1.x. However, there will be no fixes for PAN-OS 11.0, which has reached the end of life as of November 17. Temporary mitigative actions include adjusting DNS Security logging settings until full patching is completed, with phased updates planned for Prism Access users in early January.

This specific vulnerability bears similarities to another zero-day flaw recently discovered in Fortinet’s FortiOS software, drawing parallels in the methods through which both vulnerabilities can be exploited. Beaumont noted that edge devices are often significant targets for both criminal and national threat actors, highlighting a sustained method of attack across various cybersecurity environments.

In light of these incidents, business owners and network administrators are advised to prioritize the review and timely deployment of security patches to safeguard against these vulnerabilities. Staying vigilant in monitoring manufacturer advisories and forums for updates can prove crucial in maintaining system integrity amidst rising threats in the cybersecurity landscape.