Regarding Security Advisory CVE-2024-3393

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Regarding Security Advisory CVE-2024-3393

L3 Networker

Hello Team,

   I have recently upgraded my pa-1410 firewall to panos ver. 11.1.4-h7, because its preferred version so far.

Today I have received this advisory link ...

https://securityadvisories.paloaltonetworks.com/CVE-2024-3393

I have DNS Security enabled.

Things are not clear to take an action, what id action required? I can see my version listed as fixed, or it should be patched by Tac.

 

What do you think?

TIA.

MR
2 accepted solutions

Accepted Solutions

L2 Linker

Hi @MRamadanAHafiez 

 

PAN-OS 11.1.4-h7 has fix for this CVE-2024-3393 so you don't need to do anything if you are running PAN-OS 11.1.4-h7

 

https://securityadvisories.paloaltonetworks.com/CVE-2024-3393

View solution in original post

Community Team Member

Hi @plau,

 

CVE-2024-3393 is only vulnerable if a customer has an affected PAN-OS software version and both of the following are configured:
1. Either a DNS Security License or an Advanced DNS Security License must be applied; AND
2. DNS Security logging must be enabled.

 

CC: @mshekh 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

19 REPLIES 19

L2 Linker

Hi @MRamadanAHafiez 

 

PAN-OS 11.1.4-h7 has fix for this CVE-2024-3393 so you don't need to do anything if you are running PAN-OS 11.1.4-h7

 

https://securityadvisories.paloaltonetworks.com/CVE-2024-3393

Thank you so much @mshekh .

I posted thus because the advisory stated the nersion as its fixed and still listed down in the CPEs. 😀

You've confirmed my findings.

MR

Hi @MShekh

I have Palo's on 10.2.8-h15 . Does this 10.2.8-h15 version has the fix for CVE-2024-3393?

Thanks for your help.

L2 Linker

Hi @Marcel_Giquel 

 

No Fix is not included in PAN-OS 10.2.8-h15 for CVE-2024-3393. Please refer the below link for fixed versions

.

https://security.paloaltonetworks.com/CVE-2024-3393

 

L0 Member

Hello Team @mshekh ,

 

Please advise if version 10.2.7-h3 affected with this CVE or not? 

 

Thanks

L0 Member

Do the firewalls need the DNS Security license to be affected? Or are all firewalls with DNS logging enabled affected? We are trying to determine scope and not all our firewalls have the DNS Security license.

Cyber Elite
Cyber Elite

Hello All,

Please read the documentation:

OtakarKlier_0-1735322927728.png

 

So 11.1.4-h7 is affected. 10.2.8-h15 is not affected. 10.2.7-h3 is affected. There is a mitigation prior to upgrade:

https://securityadvisories.paloaltonetworks.com/CVE-2024-3393#:~:text=Workarounds%20and%20Mitigation...

 

The vulnerability is in the Anti-Spyware DNS logging section.

Regards,

I have the same scenario as well. Please let me know if you get some clarity on whether customers in the same situation are vulnerable.

Hi @OtakarKlier I posted this discusion because it was not clear.

It saied any ver below 11.1.5, the it says versions with fix and 11.1.4-h7 listed, and this version still listed in the CPEs field.

MR

Cyber Elite
Cyber Elite

Interesting they put it there and not in the main graphic. I stand corrected.

Great question. The mitigation only refers to the Anti-Spyware signatures and doesnt mention Secure DNS. Maybe TAC has an answer?

I am going to open a case. I will post their response.

 

I will open a case and post the answers too, thank you.

MR

L1 Bithead

I opened a ticket at Palo Alto support. PA Version 11.1.4-h7 is already patched and not affected by CVE-2024-3393.

 

Extract from the support ticket:

Is the PA version 11.1.4-h7 already protected against the new CVE-2024-3393?
- Yes , version 11.1.4-h7 protected against the new CVE-2024-3393.

  • 2 accepted solutions
  • 1729 Views
  • 19 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!