CVE-2024-3393
Published: 27 December 2024
Summary
CVE-2024-3393 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-3393 is a denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software. An unauthenticated attacker can trigger a firewall reboot by sending a specially crafted packet through the data plane; repeated triggering forces the device into maintenance mode. The flaw is tracked under CWE-754 and carries a CVSS 4.0 score of 8.7 reflecting network attack vector, no required privileges or user interaction, and high availability impact.
An unauthenticated remote attacker can exploit the issue without authentication by transmitting the malicious packet across the data plane. Successful exploitation results in an immediate device reboot; sustained attempts place the firewall into maintenance mode, disrupting traffic inspection and security services until manual recovery.
The official Palo Alto Networks advisory at security.paloaltonetworks.com/CVE-2024-3393 details affected PAN-OS versions and remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score has reached 0.7972, indicating substantial exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31982
Vulnerability details
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger…
more
this condition will cause the firewall to enter maintenance mode.
- CWE(s)
- KEV Date Added
- 30 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against or limit effects of DoS attacks such as the single malicious DNS Security packet that forces PAN-OS reboot.
Requires validation of inputs to reject malformed or exceptional DNS packets before they reach the vulnerable PAN-OS DNS Security processing path.
Mandates timely installation of vendor patches that eliminate the CWE-754 flaw in the PAN-OS DNS Security feature.