Palo Alto Networks Firewall Flaws

Palo Alto Networks has recently disclosed four high-severity vulnerabilities in its firewall products.

If exploited, these flaws could allow attackers to disrupt services by causing a denial of service (DoS) or manipulating user access controls. The vulnerabilities are tracked as CVE-2024-3382, CVE-2024-3383, and CVE-2024-3384.

CVE-2024-3382: Denial of Service via Crafted Packets

The first vulnerability, CVE-2024-3382, affects the PAN-OS operating system and can lead to a denial of service (DoS) condition when the firewall processes a burst of specially crafted packets. This issue specifically impacts PA-5400 Series devices with the SSL Forward Proxy feature enabled. Palo Alto Networks has addressed this flaw in PAN-OS versions 10.2.7-h3, 11.0.4, 11.1.2, and later.

CVE-2024-3383: Improper Group Membership Change

CVE-2024-3383 is a vulnerability in the Cloud Identity Engine (CIE) component of PAN-OS, which could allow unauthorized changes to User-ID groups. This flaw could lead to inappropriate access control decisions, affecting the security of network resources. The company has fixed this issue in PAN-OS versions 10.1.11, 10.2.5, 11.0.3, and all subsequent releases.

CVE-2024-3384: DoS via Malformed NTLM Packets

The third vulnerability, CVE-2024-3384, involves the handling of malformed NTLM packets, which could cause PAN-OS firewalls to reboot and potentially enter maintenance mode. This vulnerability requires manual intervention to restore the firewall to operational status. Fixes have been released in PAN-OS versions 8.1.24, 9.0.17, 9.1.15-h1, and 10.0.12, among others.

CVE-2024-3385: Denial of Service when GTP Security is Disabled

The third vulnerability, CVE-2024-3385, affects hardware-based firewalls in the PA-5400 and PA-7000 series. It allows remote attackers to reboot the firewalls through a specific packet processing mechanism when GTP Security is disabled. Like the others, this vulnerability is rated with high severity, having a CVSSv4.0 Base Score of 8.2.

Affected Versions and Solutions

Palo Alto Networks has not observed any malicious exploitation of these vulnerabilities. However, given their high severity ratings, customers are urged to apply the provided patches or follow recommended mitigation strategies.

Below is a summary table of the affected versions for each CVE:

CVE IDAffected VersionsUnaffected Versions
CVE-2024-3382PAN-OS 11.1 < 11.1.2, PAN-OS 11.0 < 11.0.4, PAN-OS 10.2 < 10.2.7-h3PAN-OS 11.1 >= 11.1.2, PAN-OS 11.0 >= 11.0.4, PAN-OS 10.2 >= 10.2.7-h3
CVE-2024-3383PAN-OS 11.0 < 11.0.3, PAN-OS 10.2 < 10.2.5, PAN-OS 10.1 < 10.1.11PAN-OS 11.0 >= 11.0.3, PAN-OS 10.2 >= 10.2.5, PAN-OS 10.1 >= 10.1.11
CVE-2024-3384PAN-OS 10.0 < 10.0.12, PAN-OS 9.1 < 9.1.15-h1, PAN-OS 9.0 < 9.0.17, PAN-OS 8.1 < 8.1.24PAN-OS 10.0 >= 10.0.12, PAN-OS 9.1 >= 9.1.15-h1, PAN-OS 9.0 >= 9.0.17, PAN-OS 8.1 >= 8.1.24
CVE-2024-3385PAN-OS 11.0 < 11.0.3, PAN-OS 10.2 < 10.2.8, PAN-OS 10.1 < 10.1.12, PAN-OS 9.1 < 9.1.17, PAN-OS 9.0 < 9.0.17-h4PAN-OS 11.0 >= 11.0.3, PAN-OS 10.2 >= 10.2.8, PAN-OS 10.1 >= 10.1.12, PAN-OS 9.1 >= 9.1.17, PAN-OS 9.0 >= 9.0.17-h4

Along with these high-severity flaws, Palo Alto fixed some medium security flaws; a complete advisory can be found here.

For detailed mitigation instructions and to ensure the security of their networks, customers are advised to consult the official Palo Alto Networks documentation or contact their support services.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.