FlagThis - #paloalto

A critical denial-of-service (DoS) vulnerability, identified as CVE-2024-3393, has been discovered in Palo Alto Networks PAN-OS software and Prisma Access firewalls. The flaw, which has a high severity rating of 8.7, allows unauthenticated attackers to send malicious DNS packets through the firewall's data plane. This action can cause the firewall to reboot and, after repeated attempts, enter maintenance mode, significantly disrupting network operations. Palo Alto Networks is aware of customers experiencing this issue and has confirmed that the vulnerability is being actively exploited.

The vulnerability affects multiple PAN-OS versions, specifically below 11.2.3, 11.1.5, 10.2.10-h12, 10.2.13-h2, and 10.1.14-h8. Palo Alto Networks has released patches to address this flaw in PAN-OS versions 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and later, with Prisma Access upgrades scheduled for January 3rd and 10th. As a temporary mitigation, organizations can disable DNS Security logging in Anti-Spyware profiles and set the "Log Severity" to "none" while they apply the necessary patches. PAN-OS version 11.0 has reached its end of life and will not receive a patch.


References :

• Cyber Security News: Critical DoS Vulnerability Found in Palo Alto Networks PAN-OS (CVE-2024-3393)
• : Merry fucking Christmas from Palo Alto Networks (Zero-Day) : (CVSSv4: 8.7 high) A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall.
• fthy: CVE-2024-3393 PaloAlto Firewall A DoS vul in the DNS Security feature of PanOS allows an unauth attacker to send a malicious packet through the data plane of the firewall that reboots the firewall.
• osint10x.com: Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately
• securityonline.info: CVE-2024-3393: PAN-OS Vulnerability Now Exploited in the Wild
• securityaffairs.com: Palo Alto Networks fixed a high-severity PAN-OS flaw
• The Hacker News: Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately
• ciso2ciso.com: Palo Alto Networks fixed a high-severity PAN-OS flaw – Source: securityaffairs.com
• ciso2ciso.com: Palo Alto Networks fixed a high-severity PAN-OS flaw – Source: securityaffairs.com
• cyberpress.org: Critical DoS Vulnerability Found in Palo Alto Networks PAN-OS (CVE-2024-3393)
• securityonline.info: CVE-2024-3393: PAN-OS Vulnerability Now Exploited in the Wild
• Osint10x: Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately
• gbhackers.com: Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks
• socradar.io: Severe Vulnerability in Palo Alto Networks PAN-OS Exposes Firewalls to Denial of Service (CVE-2024-3393)
• ciso2ciso.com: Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately
• gbhackers.com: Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks
• www.bleepingcomputer.com: Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot.
• BleepingComputer: Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot.
• cR0w :cascadia:: Palo Alto updated their advisory, the DoS issue occurs on the Advanced Security DNS license too, not just DNS Security license
• Kevin Beaumont: Palo Alto updated their advisory, the DoS issue occurs on the Advanced Security DNS license too, not just DNS Security license
• security.paloaltonetworks.com: Palo Alto Networks published that describes an improper check for unusual or exceptional conditions vulnerability in multiple Palo Alto Networks products.
• fortiguard.fortinet.com: PAN-OS Firewall Denial of Service (DoS) Vulnerability
• securityonline.info: SecurityOnline: CISA Warns of Actively Exploited Palo Alto Firewall Flaw (CVE-2024-3393)
• securityonline.info: CISA Warns of Actively Exploited Palo Alto Firewall Flaw (CVE-2024-3393)
• gbhackers.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert on a critical vulnerability in Palo Alto Networks PAN-OS. Tracked as CVE-2024-3393, this flaw has been observed in active exploitation, putting systems at risk of remote disruption.
• gbhackers.com: CISA Warns of Palo Alto Networks PAN-OS Vulnerability Exploited in Wild
• thecyberexpress.com: The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding a newly discovered vulnerability in Palo Alto Networks' PAN-OS versions.
• cyble.com: Critical PAN-OS Vulnerability Added to CISA’s Exploited List: What You Need to Know

Classification:

• HashTags: #PaloAlto #DoS #Vulnerability
• Company: Palo Alto Networks
• Target: PAN-OS Users
• Product: PAN-OS
• Feature: DNS Security
• Type: Vulnerability
• Severity: Major

Multiple vulnerabilities have been discovered in Palo Alto Networks' Expedition migration tool, posing significant security risks. These flaws could allow attackers to gain unauthorized access to sensitive data such as usernames, cleartext passwords, device configurations, and API keys associated with firewalls running PAN-OS software. An OS command injection vulnerability, identified as CVE-2025-0107, allows authenticated attackers to execute arbitrary OS commands, potentially leading to data breaches and system compromise. Other vulnerabilities include SQL injection (CVE-2025-0103), reflected cross-site scripting (CVE-2025-0104), arbitrary file deletion (CVE-2025-0105) and a wildcard expansion enumeration (CVE-2025-0106).

The Expedition tool, intended for firewall migration and optimization, reached its End of Life (EoL) on December 31, 2024, and is no longer supported or updated. Organizations are strongly advised to transition away from using Expedition and to explore alternative migration tools. While Palo Alto Networks has released patches in versions 1.2.100 and 1.2.101, no further updates are planned for the tool. Until users can migrate, it is recommended to restrict network access to Expedition to only authorized users, hosts, and networks, or to shut down the service if it's not in use.


References :

• gbhackers.com: Palo Alto Networks Expedition Tool Vulnerability Let Attackers Access Cleartext Passwords
• : Palo Alto Networks security advisories 08 January 2025: Expedition: Multiple Vulnerabilities in Expedition Migration Tool Lead to Exposure of Firewall Credentials
• securityonline.info: CISA Alerts on Actively Exploited Vulnerabilities in Mitel MiCollab and Oracle WebLogic Server
• ciso2ciso.com: Mitel 0-day, 5-year-old Oracle RCE bug under active exploit – Source: go.theregister.com
• The Hacker News: CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation
• Latest from TechRadar: CISA says Oracle and Mitel have critical security flaws being exploited
• ciso2ciso.com: Mitel 0-day, 5-year-old Oracle RCE bug under active exploit – Source: go.theregister.com
• gbhackers.com: Palo Alto Networks Expedition Tool Vulnerability Let Attackers Access Cleartext Passwords
• securityonline.info: Mutiple Vulnerabilities Found in Palo Alto Networks Expedition Tool
• socca.tech: CVE-2025-0107: (Palo Alto Networks Expedition: Medium)
• Security Risk Advisors: Multiple Vulnerabilities in Palo Alto Networks Expedition Tool Allow Exposure of Firewall Credentials

Classification:

• HashTags: #PaloAltoNetworks #ExpeditionTool #Vulnerability
• Company: Palo Alto Networks
• Target: Palo Alto Networks Users
• Product: Expedition
• Feature: OS Command Injection
• Type: Vulnerability
• Severity: Major

Critical vulnerabilities have been discovered in Palo Alto Networks firewall devices, potentially allowing attackers to bypass Secure Boot protections and exploit firmware-level flaws. Security firm Eclypsium evaluated three Palo Alto Network appliances, including the PA-3260, PA-1410, and PA-415, uncovering a range of well-known vulnerabilities collectively named "PANdora's Box". These flaws include "Boothole," a buffer overflow vulnerability leading to remote code execution, secure boot bypass issues, and vulnerabilities like LogoFail and PixieFail. These issues could allow attackers to gain elevated privileges, maintain persistence, and completely compromise firewall devices.

The identified vulnerabilities include seven CVEs, and additionally insecure flash access controls and leaked keys which compromise the integrity of the boot process. These flaws, ranging from boot process exploits to vulnerabilities within InsydeH2O UEFI firmware, could lead to privilege escalation, malicious code execution during startup, and information disclosure. Palo Alto Networks is aware of these claims and is working with third party vendors to develop firmware updates, although they state that the vulnerabilities are not exploitable under normal conditions with up-to-date and secured management interfaces, and do not affect PAN-OS CN-Series, PAN-OS VM-Series, Cloud NGFW and Prisma Access.


References :

• eclypsium.com: Eclysium evaluated three Palo Alto Networks appliances, finding known vulnerabilities ranging from "Boothole" (buffer overflow to RCE) and secure boot bypass to LogoFail, PixieFail, leaked keys bypass, etc.
• security.paloaltonetworks.com: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls
• The Hacker News: Palo Alto firewalls found vulnerable to secure boot bypass and firmware exploits
• : Palo Alto Networks See parent toot above. Palo Alto Networks is in damage control mode, after Eclypsium reported that their Next Generation Firewall (NGFW) products were still impacted by multiple known vulnerabilities. Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls. Palo Alto Networks is not aware of any malicious exploitation of these issues in our products. We are aware of a blog post discussing these issues.
• : Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls – Source: www.securityweek.com
• Patrick C Miller :donor:: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls - SecurityWeek
• ciso2ciso.com: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls – Source: www.securityweek.com

Classification:

• HashTags: #PaloAlto #Firewall #SecureBoot
• Company: Palo Alto Networks
• Target: Palo Alto Firewall Users
• Product: Palo Alto Firewalls
• Feature: Secure Boot Bypass
• Type: Vulnerability
• Severity: Major