PAN-OS: Firewall Denial of Service in DNS Security

A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall.

📖 Estimated Reading Time: 3 minutes

Content

Palo Alto Networks and PAN-OS

CVE-2024-3393

Mitre ATT&CK Mapping

Mitigations

Palo Alto Networks and PAN-OS

Palo Alto Networks, Inc. is an American multinational specializing in cybersecurity, and one of the world's most renowned companies in this field.

Its core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100, but they are also known for their threat intelligence and security consulting team, the famous Unit42 who helped to solve multiple cases.

All of the next-generation Palo Alto firewalls runs with their own operating-system, the PAN‑OS, based on Linux working on primarily at layers 3 (network layer) and 4 (transport layer) of the OSI model for traffic routing and filtering. However, thanks to integrated technologies such as App-ID and Content-ID, it also analyzes higher layers, notably Layer 7 (application layer), to identify and control applications and content traversing the network.

CVE-2024-3393

A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

The malicious packet is a DNS packet that simulates a DNS query (qr=0), aimed at querying the www.example.com domain.

pkt = IP(src=src_ip, dst=target_ip) / UDP(dport=int(target_port)) / DNS(qr=0, qd=DNSQR(qname="www.example.com"))

  • IP : Is the source internet protocol address created randomly and the destination address which is the Palo Alto firewall targeted

  • UDP : The packet is sent via the UDP protocol to port 53, the standard port for DNS queries.

  • DNS : Creation of a DNS query. The qr=0 attribute indicates that this is a query, not a response. The qname is the target domain name of the query (which can be an arbitrary domain).

The vulnerability is known to be exploited in the wild (1-2), and multiples code/proof-of-concept are available on the net, which can make the detection easier for defender and the exploitation easier for the attackers :

  • https://github.com/FelixFoxf/-CVE-2024-3393/blob/main/feelgood.py

  • https://github.com/waived/CVE-2024-3393/tree/main

In January, Censys as observed 271,455 of exposed devices running PAN-OS software. A large proportion of these (40%) are geolocated in the United States. Note that not all instances observed are vulnerable as we do not have specific versions available.

source :

Such a vulnerability could temporarily disable the firewalls defenses of the targeted environment and permits the attackers to conduct further attacks on it and potentially gain access.

Mitre ATT&CK Mapping

Tactic

Technique

Technique Name

Context

Inhibit Response Function

T0814

Denial of Service

The CVE-2024-3393 directly corresponds the a Denial of Service attack by sending malicious DNS packet to a Palo Alto firewall which would disrupte the normal operation of the system.

Initial Access, Lateral Movement

T1210 / T0866

Exploitation of Remote Services

The attack use the DNS service, a remote service exposed on port 53, making this relevant to the Exploitation of Remote Services technique.

Impact

T0826

Loss of Availability

The primary impact of this vulnerability is the Loss of Availability, as the firewall becomes unresponsive after repeated exploitation.

Mitigations

  • Patches and Updates

    • The most effective mitigation for this vulnerability is to apply the official security patches released by Palo Alto Networks.

  • Rate-Limiting mechanism for DNS requests

    • You can configure a limit on incoming traffic to port 53 (DNS) to ensure that an excessive amount of DNS queries is not sent to the firewall.

  • Access Control Lists

    • Limit most of the possible networks who can reach you to known and trusted address

  • Intrusion Prevention Systems

    • If you have an IPS ensure that he can detect and block abnormal traffic patterns or attacks targeting the DNS service.

Specific Palo Alto recommendations:

This issue is fixed in PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions, upgrade to this versions

Note: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024

If your firewall running the vulnerable PAN-OS versions stops responding or reboots unexpectedly and you cannot immediately apply a fix, apply a workaround below based on your deployment.

Unmanaged NGFWs, NGFW managed by Panorama, or Prisma Access managed by Panorama

  1. Ensure that a DNS Security Configuration is already present in the device's configuration. See the "Required Configuration for Exposure" section for details.

  2. Within Objects → Security Profiles, determine if you use the predefined Anti-Spyware profiles in your Security Policy. These are named "Default" or "Strict". If you are using the predefined security profiles, clone the predefined Anti-Spyware profile for use as a custom Anti-Spyware profile. After cloning each relevant predefined Anti-Spyware profile, replace them with the cloned custom Anti-Spyware profile or group in your Security Rules (Policies → Security → (security rule) in either Actions → Profiles or Actions → Group).

  3. For each custom Anti-Spyware profile, navigate to Objects → Security Profiles → Anti-Spyware → (select a custom profile) → DNS Policies → DNS Security.

  4. Change the Log Severity to "none" for all configured DNS Security categories.

  5. Commit the changes.

Note 1: Setting Log Severity to 'none' for devices that didn't have a DNS Security configuration may block DNS traffic that wasn’t previously blocked. Additionally, this may happen without generating any log entries, making it difficult to detect the blocked traffic. Review the Required Configuration for Exposure section for instructions on identifying existing DNS Security Configuration.

Note 2: Remember to revert the Log Severity settings once the fixes are applied.

NGFW managed by Strata Cloud Manager (SCM)

You can choose one of the following mitigation options:

  1. Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.

  2. Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case.

  3. Option 1: Disable DNS Security logging directly on each NGFW by following the PAN-OS steps above.

  4. Option 2: Disable DNS Security logging across all NGFWs in your tenant by opening a support case.

Prisma Access managed by Strata Cloud Manager (SCM)

Until we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a support case. If you would like to expedite the upgrade, please make a note of that in the support case.

Autres articles de blog de Trout

Securing Epicor or Odoo: Protecting Your Manufacturing ERP