Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
12-26-2024 09:46 PM
Hello Team,
I have recently upgraded my pa-1410 firewall to panos ver. 11.1.4-h7, because its preferred version so far.
Today I have received this advisory link ...
https://securityadvisories.paloaltonetworks.com/CVE-2024-3393
I have DNS Security enabled.
Things are not clear to take an action, what id action required? I can see my version listed as fixed, or it should be patched by Tac.
What do you think?
TIA.
12-30-2024 05:28 AM
And additional comment of Palo Alto Support for the fixed versions which are not affected by CVE-2024-3393:
The Recommended Remediated Versions for 11.1.4 are as follows:
- 11.1.4-h7
- 11.1.5
Other available Unaffected versions for 11.2 are :
11.2.0 ----> 11.2.3
11.2.1 -----> 11.2.3
11.2.2 -----> 11.2.3
The above given versions are TAC-preferred versions which are fixed.
12-30-2024 05:42 AM
Please see my post:
I opened a ticket at Palo Alto support. PA Version 11.1.4-h7 is already patched and not affected by CVE-2024-3393.
Extract from the support ticket:
Is the PA version 11.1.4-h7 already protected against the new CVE-2024-3393?
- Yes , version 11.1.4-h7 protected against the new CVE-2024-3393.
12-30-2024 07:07 AM
Hello Team,
Ironically, 😞 i opened a case too but with partner who recommended to apply the workaround although i have deployed 11.1.4-h7.
We will wait until the preferred version gets patched against this vulnerability.
Now what
12-30-2024 09:26 AM - edited 12-30-2024 09:32 AM
Hi @plau,
CVE-2024-3393 is only vulnerable if a customer has an affected PAN-OS software version and both of the following are configured:
1. Either a DNS Security License or an Advanced DNS Security License must be applied; AND
2. DNS Security logging must be enabled.
CC: @mshekh
12-30-2024 12:41 PM
If a firewall had an expired DNS/Advanced DNS license, would it not be affected?
The wording isn't clear because, technically, wouldn't the expired license still be applied? It just wouldn't be active.
So, is it an active and applied license?
12-31-2024 12:01 AM
Double checked, Cheked again, and now version 11.1.4-h7 is NOT affected by the CVE-2024-3393
"I think CVE-2024-3393 security advisory need to be re-written as it caued misunderstanding on some clients"
Thank you Team.
01-02-2025 01:36 AM
Hi
Version 10.1.10-h5 is affected?
Regards
01-02-2025 01:36 AM
Hi
version 10.1.10-h5 is affected?
Regards
01-02-2025 02:11 AM - edited 01-02-2025 02:12 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
