CVE-2024-3384
📋 TL;DR
A vulnerability in Palo Alto Networks PAN-OS software allows remote attackers to reboot firewalls by sending Windows NTLM packets from Windows servers. Repeated exploitation can force firewalls into maintenance mode requiring manual recovery. This affects organizations running vulnerable PAN-OS versions on Palo Alto firewalls.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Sustained denial-of-service causing firewalls to enter maintenance mode, requiring manual intervention and potentially creating extended network outages.
Likely Case
Intermittent firewall reboots disrupting network traffic and security services until patched.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting NTLM traffic to firewalls.
🎯 Exploit Status
Exploitation requires sending NTLM packets to vulnerable firewalls. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 11.1.2-h4, PAN-OS 11.0.4-h5, PAN-OS 10.2.9-h2, PAN-OS 10.1.12-h5, PAN-OS 9.1.18-h2
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-3384
Restart Required: Yes
Instructions:
1. Download appropriate hotfix from Palo Alto support portal. 2. Upload to firewall. 3. Install hotfix. 4. Reboot firewall as required.
🔧 Temporary Workarounds
Block NTLM traffic to firewalls
allImplement network access controls to prevent NTLM packets from reaching firewall interfaces
Disable NTLM authentication
windowsConfigure Windows servers to use Kerberos instead of NTLM where possible
🧯 If You Can't Patch
- Implement strict network segmentation to limit NTLM traffic to firewall interfaces
- Monitor firewall logs for reboot events and NTLM traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via WebUI or CLI. If version falls within affected ranges, system is vulnerable.Check Version:
show system info | match versionVerify Fix Applied:
Verify PAN-OS version is patched to recommended hotfix version or later.📡 Detection & Monitoring
Log Indicators:
- Firewall reboot events
- Unexpected maintenance mode entries
- Increased NTLM authentication attempts
Network Indicators:
- Spike in NTLM traffic to firewall interfaces
- Unusual NTLM packet patterns
SIEM Query:
source="pan-firewall" AND (event_type="reboot" OR event_type="maintenance_mode")