Palo Alto Networks PAN-OS 软件中存在一个错误的字符串比较漏洞，导致预定义的解密排除功能无法按预期工作。这会导致原本不应该被排除的域名流量被意外地排除在解密之外。

🤔 漏洞概述：Palo Alto Networks PAN-OS 软件中存在一个错误的字符串比较漏洞，导致预定义的解密排除功能无法按预期工作。

🛡️ 影响：该漏洞会导致原本不应该被排除的域名流量被意外地排除在解密之外，从而可能导致敏感信息泄露。

📦 受影响版本：该漏洞影响 PAN-OS 10.0、10.1、10.2、11.0 和 11.1 版本。

🔧 解决方法：Palo Alto Networks 已发布了包含漏洞修复的软件更新，建议用户尽快升级到受影响的版本。

🤝 漏洞发现：该漏洞由 Frederic De Vlieger 发现并报告。

⚠️ 重要提示：该漏洞的严重程度为中级，建议用户尽快采取措施进行修复。

Palo Alto Networks Security Advisories /CVE-2024-3386CVE-2024-3386 PAN-OS: Predefined Decryption Exclusions Does Not Work as IntendedUrgencyMODERATEResponse EffortLOWRecoveryAUTOMATICValue DensityDIFFUSEAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsNONEAutomatableYESUser InteractionNONEProduct ConfidentialityNONEProduct IntegrityLOWProduct AvailabilityNONEPrivileges RequiredNONESubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONENVDJSON Published2024-04-10 Updated2024-04-10ReferencePAN-208155DiscoveredexternallyDescriptionAn incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.Product StatusVersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0< 11.0.1-h2, < 11.0.2>= 11.0.1-h2, >= 11.0.2PAN-OS 10.2< 10.2.4-h2, < 10.2.5>= 10.2.4-h2, >= 10.2.5PAN-OS 10.1< 10.1.9-h3, < 10.1.10>= 10.1.9-h3, >= 10.1.10PAN-OS 10.0< 10.0.13>= 10.0.13PAN-OS 9.1< 9.1.17>= 9.1.17PAN-OS 9.0< 9.0.17-h2>= 9.0.17-h2Prisma Access NoneAllRequired Configuration for ExposureYou must configure Predefined Decryption Exclusions on your PAN-OS firewalls. You should check to see whether you have any configured exclusions in your firewall web interface (Device > Certificate Management > SSL Decryption Exclusions).Severity:MEDIUMCVSSv4.0Base Score:6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness TypeCWE-436 Interpretation ConflictSolutionThis issue is fixed in 9.0.17-h2, 9.0.18, 9.1.17, 10.0.13, 10.1.9-h3, 10.1.10, 10.2.4-h2, 10.2.5, 11.0.1-h2, 11.0.2, and all later PAN-OS versions.AcknowledgmentsPalo Alto Networks thanks Frederic De Vlieger for discovering and reporting this issue.Timeline2024-04-10Initial publication