- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-26-2024 09:46 PM
Hello Team,
I have recently upgraded my pa-1410 firewall to panos ver. 11.1.4-h7, because its preferred version so far.
Today I have received this advisory link ...
https://securityadvisories.paloaltonetworks.com/CVE-2024-3393
I have DNS Security enabled.
Things are not clear to take an action, what id action required? I can see my version listed as fixed, or it should be patched by Tac.
What do you think?
TIA.
12-26-2024 11:27 PM
PAN-OS 11.1.4-h7 has fix for this CVE-2024-3393 so you don't need to do anything if you are running PAN-OS 11.1.4-h7
https://securityadvisories.paloaltonetworks.com/CVE-2024-3393
12-30-2024 09:26 AM - edited 12-30-2024 09:32 AM
Hi @plau,
CVE-2024-3393 is only vulnerable if a customer has an affected PAN-OS software version and both of the following are configured:
1. Either a DNS Security License or an Advanced DNS Security License must be applied; AND
2. DNS Security logging must be enabled.
CC: @mshekh
12-26-2024 11:27 PM
PAN-OS 11.1.4-h7 has fix for this CVE-2024-3393 so you don't need to do anything if you are running PAN-OS 11.1.4-h7
https://securityadvisories.paloaltonetworks.com/CVE-2024-3393
12-27-2024 12:01 AM
Thank you so much @mshekh .
I posted thus because the advisory stated the nersion as its fixed and still listed down in the CPEs. 😀
You've confirmed my findings.
12-27-2024 02:47 AM
Hi @MShekh
I have Palo's on 10.2.8-h15 . Does this 10.2.8-h15 version has the fix for CVE-2024-3393?
Thanks for your help.
12-27-2024 06:41 AM
No Fix is not included in PAN-OS 10.2.8-h15 for CVE-2024-3393. Please refer the below link for fixed versions
.
https://security.paloaltonetworks.com/CVE-2024-3393
12-27-2024 09:46 AM
Do the firewalls need the DNS Security license to be affected? Or are all firewalls with DNS logging enabled affected? We are trying to determine scope and not all our firewalls have the DNS Security license.
12-27-2024 10:11 AM
Hello All,
Please read the documentation:
So 11.1.4-h7 is affected. 10.2.8-h15 is not affected. 10.2.7-h3 is affected. There is a mitigation prior to upgrade:
The vulnerability is in the Anti-Spyware DNS logging section.
Regards,
12-27-2024 10:26 AM
I have the same scenario as well. Please let me know if you get some clarity on whether customers in the same situation are vulnerable.
12-27-2024 10:27 AM
Hi @OtakarKlier I posted this discusion because it was not clear.
It saied any ver below 11.1.5, the it says versions with fix and 11.1.4-h7 listed, and this version still listed in the CPEs field.
12-27-2024 10:30 AM
Interesting they put it there and not in the main graphic. I stand corrected.
12-27-2024 10:32 AM
Great question. The mitigation only refers to the Anti-Spyware signatures and doesnt mention Secure DNS. Maybe TAC has an answer?
12-27-2024 10:33 AM
I am going to open a case. I will post their response.
12-27-2024 10:40 AM
I will open a case and post the answers too, thank you.
12-30-2024 03:38 AM
I opened a ticket at Palo Alto support. PA Version 11.1.4-h7 is already patched and not affected by CVE-2024-3393.
Extract from the support ticket:
Is the PA version 11.1.4-h7 already protected against the new CVE-2024-3393?
- Yes , version 11.1.4-h7 protected against the new CVE-2024-3393.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!