Palo Alto Networks Security Advisories /CVE-2024-3384CVE-2024-3384 PAN-OS: Firewall Denial of Service (DoS) via Malformed NTLM PacketsUrgencyMODERATEResponse EffortMODERATERecoveryUSERValue DensityDIFFUSEAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsPRESENTAutomatableNOUser InteractionNONEProduct ConfidentialityNONEProduct IntegrityNONEProduct AvailabilityHIGHPrivileges RequiredNONESubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONENVDJSON Published2024-04-10 Updated2024-04-10ReferencePAN-198992DiscoveredexternallyDescriptionA vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.Product StatusVersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0NoneAllPAN-OS 10.2NoneAllPAN-OS 10.1NoneAllPAN-OS 10.0< 10.0.12>= 10.0.12PAN-OS 9.1< 9.1.15-h1>= 9.1.15-h1PAN-OS 9.0< 9.0.17>= 9.0.17PAN-OS 8.1< 8.1.24>= 8.1.24Prisma Access NoneAllRequired Configuration for ExposureThis issue affects only PAN-OS configurations with NTLM authentication enabled. You should verify whether NTLM authentication is enabled by checking your firewall web interface (Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > NTLM).Severity:HIGHCVSSv4.0Base Score:8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness TypeCWE-1286 Improper Validation of Syntactic Correctness of InputSolutionThis issue is fixed in PAN-OS 8.1.24, PAN-OS 9.0.17, PAN-OS 9.1.15-h1, PAN-OS 10.0.12, and all later PAN-OS versions.AcknowledgmentsPalo Alto Networks thanks rqu for discovering and reporting this issue.Timeline2024-04-10Initial publication
