Palo Alto Networks发布安全公告，披露了PAN-OS软件中存在一个漏洞（CVE-2024-3385），该漏洞可能导致远程攻击者通过禁用GTP安全功能对硬件防火墙进行拒绝服务攻击。攻击者可以利用该漏洞反复攻击防火墙，最终导致防火墙进入维护模式，需要手动干预才能恢复正常运行。该漏洞影响PA-5400系列和PA-7000系列硬件防火墙，建议用户及时更新PAN-OS版本或启用GTP安全功能以修复此漏洞。

😄 **漏洞影响范围**： 该漏洞影响PA-5400系列和PA-7000系列硬件防火墙，但不会影响VM-Series防火墙、CN-Series防火墙、Cloud NGFW或Prisma Access。

🤔 **漏洞触发条件**： 该漏洞仅在PAN-OS配置中禁用GTP安全功能时才会触发，如果已启用GTP安全功能，则不会受到影响。

🛡️ **漏洞修复方案**： Palo Alto Networks已在PAN-OS 9.0.17-h4、PAN-OS 9.1.17、PAN-OS 10.1.12、PAN-OS 10.2.8、PAN-OS 11.0.3及更高版本中修复了该漏洞。用户应尽快更新PAN-OS版本以修复漏洞。

⚠️ **临时解决方案**： 拥有威胁防御订阅的用户可以通过启用威胁ID 94993（在应用程序和威胁内容版本8832中引入）来阻止针对此漏洞的攻击。

Palo Alto Networks Security Advisories /CVE-2024-3385CVE-2024-3385 PAN-OS: Firewall Denial of Service (DoS) when GTP Security is DisabledUrgencyMODERATEResponse EffortLOWRecoveryUSERValue DensityDIFFUSEAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsPRESENTAutomatableYESUser InteractionNONEProduct ConfidentialityNONEProduct IntegrityNONEProduct AvailabilityHIGHPrivileges RequiredNONESubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONENVDJSON Published2024-04-10 Updated2024-04-10ReferencePAN-221224DiscoveredexternallyDescriptionA packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.This affects the following hardware firewall models:- PA-5400 Series firewalls- PA-7000 Series firewallsProduct StatusVersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0< 11.0.3>= 11.0.3PAN-OS 10.2< 10.2.8>= 10.2.8PAN-OS 10.1< 10.1.12>= 10.1.12PAN-OS 9.1< 9.1.17>= 9.1.17PAN-OS 9.0< 9.0.17-h4>= 9.0.17-h4Prisma Access NoneAllRequired Configuration for ExposureThis does not affect VM-Series firewalls, CN-Series firewalls, Cloud NGFWs, or Prisma Access.This issue affects only PAN-OS configurations with GTP Security disabled; it does not affect PAN-OS configurations that have GTP Security enabled. You should verify whether GTP Security is disabled by checking your firewall web interface (Device > Setup > Management > General Settings) and take the appropriate actions as needed.Severity:HIGHCVSSv4.0Base Score:8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.Weakness TypeCWE-20 Improper Input ValidationCWE-476: NULL Pointer DereferenceSolutionThis issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.Workarounds and MitigationsCustomers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94993 (introduced in Applications and Threats content version 8832).AcknowledgmentsPalo Alto Networks thanks an external reporter for discovering and reporting this issue.Timeline2024-04-10Initial publication