CVE-2024-3393

What is PAN-OS DNS Security?

PAN-OS is the operating system powering Palo Alto Networks next-generation firewalls (NGFWs) and Panorama management appliances. The DNS Security feature is a subscription-based cloud-delivered security service that analyzes DNS queries passing through the firewall to detect and block malicious domains, DNS tunneling, and DNS-based command-and-control traffic. Because DNS Security processes all DNS traffic traversing the firewall, a parsing vulnerability in this component is reachable by any attacker who can route DNS packets through an affected Palo Alto firewall — including external attackers sending DNS traffic that will be inspected by the firewall.

Overview

CVE-2024-3393 is a vulnerability in the DNS Security feature of PAN-OS that allows an unauthenticated remote attacker to crash and reboot the firewall by sending a specially crafted malicious DNS packet. Repeated exploitation forces the firewall into maintenance mode, effectively disabling it as a network security control. The denial-of-service impact against critical security infrastructure — taking a perimeter firewall offline — is the reason CISA added it to the KEV catalog just three days after publication, with a 21-day federal remediation deadline.

Affected Versions

The vulnerability only affects firewalls with the DNS Security feature enabled.

Technical Details

CWE-754 (Improper Check for Unusual or Exceptional Conditions). The DNS Security component in PAN-OS fails to properly validate or handle a specific malformed DNS packet structure. When such a packet is processed by the DNS Security parsing logic, the condition is not caught, leading to an unhandled exception that causes the firewall daemon to crash and the system to reboot. The availability impact is severe: if an attacker repeatedly sends the malicious packet during the reboot cycle — which takes several minutes — the firewall is forced into maintenance mode, a diagnostic state where normal traffic inspection and security policy enforcement are suspended.

The practical consequence is a complete security control bypass: traffic that would normally be inspected and blocked by the firewall passes through unexamined while it is in maintenance mode.

Discovery

Palo Alto Networks published the advisory on December 27, 2024, alongside patches. The immediate KEV addition three days later (December 30) indicates exploitation was already occurring before or concurrent with the patch release.

Exploitation Context

Active exploitation was confirmed by the December 30, 2024 CISA KEV addition. The attack scenario is notable for its asymmetry: a single malformed DNS packet from any external host can take down a perimeter firewall serving thousands of users and protecting an entire network. Adversaries can use this as a precursor to a larger attack — forcing the firewall offline to eliminate security controls before launching intrusion attempts. The vulnerability is also exploitable by any internal host sending DNS queries through the firewall if DNS Security inspects internal DNS traffic.

Remediation

1. Apply the PAN-OS patch for your version: 11.2.3, 11.1.5, 11.0.6, 10.2.10-h12, or 10.1.14-h8 (or later).
2. If immediate patching is not possible, disable the DNS Security feature as a temporary workaround. Note that this reduces DNS-based threat detection capability.
3. After patching, re-enable DNS Security and verify threat signatures are up to date.
4. Review firewall logs for unexpected reboots or maintenance mode entries prior to patching — these may indicate prior exploitation.
5. For Prisma Access: check Palo Alto's advisory for the Prisma-specific remediation timeline, as cloud-managed services follow a separate patching schedule.