topic Re: Regarding Security Advisory CVE-2024-3393 in General Topics

Regarding Security Advisory CVE-2024-3393

MRamadanAHafiez — Fri, 27 Dec 2024 05:46:22 GMT

Hello Team,

I have recently upgraded my pa-1410 firewall to panos ver. 11.1.4-h7, because its preferred version so far.

Today I have received this advisory link ...

https://securityadvisories.paloaltonetworks.com/CVE-2024-3393

I have DNS Security enabled.

Things are not clear to take an action, what id action required? I can see my version listed as fixed, or it should be patched by Tac.

What do you think?

TIA.

Re: Regarding Security Advisory CVE-2024-3393

mshekh — Fri, 27 Dec 2024 07:27:06 GMT

Hi @MRamadanAHafiez

PAN-OS 11.1.4-h7 has fix for this CVE-2024-3393 so you don't need to do anything if you are running PAN-OS 11.1.4-h7

https://securityadvisories.paloaltonetworks.com/CVE-2024-3393

Re: Regarding Security Advisory CVE-2024-3393

MRamadanAHafiez — Fri, 27 Dec 2024 08:01:03 GMT

Thank you so much @mshekh .

I posted thus because the advisory stated the nersion as its fixed and still listed down in the CPEs. 😀

You've confirmed my findings.

Re: Regarding Security Advisory CVE-2024-3393

Marcel_Giquel — Fri, 27 Dec 2024 10:47:16 GMT

Hi @MShekh

I have Palo's on 10.2.8-h15 . Does this 10.2.8-h15 version has the fix for CVE-2024-3393?

Thanks for your help.

Re: Regarding Security Advisory CVE-2024-3393

mshekh — Fri, 27 Dec 2024 14:41:54 GMT

Hi @Marcel_Giquel

No Fix is not included in PAN-OS 10.2.8-h15 for CVE-2024-3393. Please refer the below link for fixed versions

https://security.paloaltonetworks.com/CVE-2024-3393

Re: Regarding Security Advisory CVE-2024-3393

Omar-Khouli — Fri, 27 Dec 2024 14:51:51 GMT

Hello Team @mshekh ,

Please advise if version 10.2.7-h3 affected with this CVE or not?

Thanks

Re: Regarding Security Advisory CVE-2024-3393

plau — Fri, 27 Dec 2024 17:46:52 GMT

Do the firewalls need the DNS Security license to be affected? Or are all firewalls with DNS logging enabled affected? We are trying to determine scope and not all our firewalls have the DNS Security license.

Re: Regarding Security Advisory CVE-2024-3393

OtakarKlier — Fri, 27 Dec 2024 18:11:35 GMT

Hello All,

Please read the documentation:

So 11.1.4-h7 is affected. 10.2.8-h15 is not affected. 10.2.7-h3 is affected. There is a mitigation prior to upgrade:

https://securityadvisories.paloaltonetworks.com/CVE-2024-3393#:~:text=Workarounds%20and%20Mitigations

The vulnerability is in the Anti-Spyware DNS logging section.

Regards,

Re: Regarding Security Advisory CVE-2024-3393

T.Bullock — Fri, 27 Dec 2024 18:26:44 GMT

I have the same scenario as well. Please let me know if you get some clarity on whether customers in the same situation are vulnerable.

Re: Regarding Security Advisory CVE-2024-3393

MRamadanAHafiez — Fri, 27 Dec 2024 18:27:06 GMT

Hi @OtakarKlier I posted this discusion because it was not clear.

It saied any ver below 11.1.5, the it says versions with fix and 11.1.4-h7 listed, and this version still listed in the CPEs field.

Re: Regarding Security Advisory CVE-2024-3393

OtakarKlier — Fri, 27 Dec 2024 18:30:39 GMT

Interesting they put it there and not in the main graphic. I stand corrected.

Re: Regarding Security Advisory CVE-2024-3393

OtakarKlier — Fri, 27 Dec 2024 18:32:48 GMT

Great question. The mitigation only refers to the Anti-Spyware signatures and doesnt mention Secure DNS. Maybe TAC has an answer?

Re: Regarding Security Advisory CVE-2024-3393

T.Bullock — Fri, 27 Dec 2024 18:33:51 GMT

I am going to open a case. I will post their response.

Re: Regarding Security Advisory CVE-2024-3393

MRamadanAHafiez — Fri, 27 Dec 2024 18:40:06 GMT

I will open a case and post the answers too, thank you.

Re: Regarding Security Advisory CVE-2024-3393

Mattias_Sauer — Mon, 30 Dec 2024 11:38:56 GMT

I opened a ticket at Palo Alto support. PA Version 11.1.4-h7 is already patched and not affected by CVE-2024-3393.

Extract from the support ticket:

Is the PA version 11.1.4-h7 already protected against the new CVE-2024-3393?
- Yes , version 11.1.4-h7 protected against the new CVE-2024-3393.

Re: Regarding Security Advisory CVE-2024-3393

Mattias_Sauer — Mon, 30 Dec 2024 13:28:04 GMT

And additional comment of Palo Alto Support for the fixed versions which are not affected by CVE-2024-3393:

The Recommended Remediated Versions for 11.1.4 are as follows:
- 11.1.4-h7
- 11.1.5

Other available Unaffected versions for 11.2 are :
11.2.0 ----> 11.2.3
11.2.1 -----> 11.2.3
11.2.2 -----> 11.2.3

The above given versions are TAC-preferred versions which are fixed.

Re: Regarding Security Advisory CVE-2024-3393

Mattias_Sauer — Mon, 30 Dec 2024 13:42:17 GMT

Please see my post:

I opened a ticket at Palo Alto support. PA Version 11.1.4-h7 is already patched and not affected by CVE-2024-3393.

Extract from the support ticket:

Is the PA version 11.1.4-h7 already protected against the new CVE-2024-3393?
- Yes , version 11.1.4-h7 protected against the new CVE-2024-3393.

Re: Regarding Security Advisory CVE-2024-3393

MRamadanAHafiez — Mon, 30 Dec 2024 15:07:40 GMT

Hello Team,

Ironically, 😞 i opened a case too but with partner who recommended to apply the workaround although i have deployed 11.1.4-h7.

We will wait until the preferred version gets patched against this vulnerability.

Now what

Re: Regarding Security Advisory CVE-2024-3393

JayGolf — Mon, 30 Dec 2024 17:32:10 GMT

Hi @plau,

CVE-2024-3393 is only vulnerable if a customer has an affected PAN-OS software version and both of the following are configured:
1. Either a DNS Security License or an Advanced DNS Security License must be applied; AND
2. DNS Security logging must be enabled.

CC: @mshekh

Re: Regarding Security Advisory CVE-2024-3393

easupport-14217 — Mon, 30 Dec 2024 20:41:03 GMT

If a firewall had an expired DNS/Advanced DNS license, would it not be affected?

The wording isn't clear because, technically, wouldn't the expired license still be applied? It just wouldn't be active.

So, is it an active and applied license?