[Palo Alto Networks Security Advisories] CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously CraftedPacket

May 1, 2025

Palo Alto Networks Security Advisories /CVE-2024-9468

CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet

UrgencyMODERATE

047910
Severity8.2 ·HIGH
Exploit MaturityN/A
Response EffortLOW
RecoveryUSER
Value DensityCONCENTRATED
Attack VectorNETWORK
Attack ComplexityHIGH
Attack RequirementsNONE
AutomatableYES
User InteractionNONE
Product ConfidentialityNONE
Product IntegrityNONE
Product AvailabilityHIGH
Privileges RequiredNONE
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE
CVEJSONCSAF
Published2024-10-09
Updated2025-04-30
ReferencePAN-244840
Discoveredinternally

Description

A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.

Product Status

VersionsAffectedUnaffected
Cloud NGFWNone
All
PAN-OS 11.2None
All
PAN-OS 11.1< 11.1.3
>= 11.1.3
PAN-OS 11.0< 11.0.4-h5
< 11.0.6
>= 11.0.4-h5
>= 11.0.6
PAN-OS 10.2< 10.2.4-h24
< 10.2.7-h24
< 10.2.8-h20
< 10.2.9-h11
< 10.2.10-h4
< 10.2.11
>= 10.2.4-h24
>= 10.2.7-h24
>= 10.2.8-h20
>= 10.2.9-h11
>= 10.2.10-h4
>= 10.2.11
PAN-OS 10.1None
All
Prisma AccessNone
All

Required Configuration for Exposure

This issue affects only PAN-OS configurations where all of the following are true:* Threat Prevention is enabled.* The Threat Prevention signature 86467 (“Possible Domain Fronting Detection-SNI”) is enabled on an Anti-Spyware profile.* This setting is enabled: Device > Setup > Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection.

Severity:HIGH, Suggested Urgency:MODERATE

CVSS-BT:8.2 /CVSS-B:8.2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-787 Out-of-bounds Write

CAPEC-583 Disabling Network Hardware

Solution

This issue is fixed in 10.2.9-h11, 10.2.10-h4, PAN-OS 10.2.11, PAN-OS 11.0.4-h5, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions.

Workarounds and Mitigations

Customers can block attacks for this vulnerability by disabling this setting: Device > Setup Session > Decryption Settings > SSL Decryption Settings > Send handshake messages to CTD for inspection.Customers with a Threat Prevention subscription, who want to keep domain fronting detection enabled, can block attacks for this vulnerability by enabling Threat ID 94971 (introduced in Applications and Threats content version 8854).

Acknowledgments

This issue was found by Jeff Luo of Palo Alto Networks during internal review.

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h23:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h22:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h21:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h20:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h23:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h22:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h21:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h20:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*

Timeline

Updated fix availability for PAN-OS 10.2
Clarified the Required Configuration for Exposure section
Initial publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

5b11b559324319be411a6d4e19e8094c627a4eb8c20269b098817707c5c49097

Wshlient – A Simple Tool To Interact With Web Shells And Command Injection Vulnerabilities

May 1, 2025
Cobalt-Strike

Cobalt Strike Beacon Detected – 118[.]107[.]221[.]14:9988

May 1, 2025
Cobalt-Strike

Cobalt Strike Beacon Detected – 49[.]232[.]143[.]137:8888

May 1, 2025
Cobalt-Strike

Cobalt Strike Beacon Detected – 154[.]204[.]57[.]57:4433

May 1, 2025
Cobalt-Strike

Cobalt Strike Beacon Detected – 1[.]94[.]236[.]193:9998

May 1, 2025