Palo Alto Networks has discovered four high-level flaws in its firewall systems.

If exploited, these issues might enable attackers to interrupt services. For this, the hackers have to trigger a breach of service (DoS) or modify user access controls. The vulnerabilities are identified as CVE-2024-3382, CVE-2024-3383, and CVE-2024-3384.

CVE-2024-3382: Loss of Security with Forged Files

The initial vulnerability, CVE-2024-3382, impacts the PAN-OS operating system. It can cause a denial of service (DoS). So, the firewall processes a large number of specially designed packets. This problem only affects PA-5400 Series devices. These devices have the SSL Forward Proxy functionality activated. Palo Alto Networks fixed this vulnerability in PAN-OS versions 10.2.7-h3, 11.0.4, 11.1.2, and later.

CVE-2024-3383: Invalid Group Membership Transition

CVE-2024-3383 is a vulnerability in PAN-OS's Cloud Identity Engine (CIE) component. It may allow unauthorized modifications to user-ID groups. This issue might result in incorrect access control choices. Besides, it also jeopardizes the privacy of network resources. This problem has been resolved in PAN-OS versions 10.1.11, 10.2.5, 11.0.3, and future releases.

CVE-2024-3384: DoS with Defective NTLM Packets

The third weakness, CVE-2024-3384, concerns the management of malformed NTLM packets. It can potentially cause PAN-OS firewalls to reboot and enter maintenance mode. To return the firewall to working functionality after this vulnerability, human action is required. PAN-OS versions 8.1.24, 9.0.17, 9.1.15-h1, and 10.0.12 have all been updated with patches.

CVE-2024-3385: Conflict of Service when GTP Authentication is disabled.

The third vulnerability, CVE-2024-3385, targets hardware-based firewalls from the PA-5400 and PA-7000 series. When GTP Security is deactivated, it enables outsiders to reboot firewalls. For this, it is essential to use a particular packet processing method. Like the others, this flaw is classified as high severity, with a CVSSv4.0 Base Score of 8.2.

Influenced Versions and Remedies

Palo Alto Networks has not seen any malicious exploits of these vulnerabilities. Customers are encouraged to apply the offered patches. Along with this, they are also inspired to follow the recommended mitigation techniques and to provide elevated severity ratings.

The following is an overview table of the impacted versions of every CVE:

Along with these high-severity defects, Palo Alto rectified some medium-severity problems. This is why a full warning is available here.

Customers should review the published Palo Alto Networks literature for general network security information. They should contact support for specific mitigation procedures.