CVE-2024-2550: Palo Alto Networks PAN-OS DoS Vulnerability

CVE-2024-2550 Overview

A null pointer dereference vulnerability exists in the GlobalProtect gateway component of Palo Alto Networks PAN-OS software. This security flaw enables an unauthenticated attacker to stop the GlobalProtect service on affected firewalls by sending a specially crafted packet, resulting in a denial of service (DoS) condition. Repeated exploitation attempts can force the firewall into maintenance mode, causing extended service disruptions.

Critical Impact

Unauthenticated remote attackers can disrupt VPN connectivity and force enterprise firewalls into maintenance mode, potentially impacting thousands of remote users and critical business operations.

Affected Products

• Palo Alto Networks PAN-OS 10.2.7 (multiple hotfixes including h1, h3, h6, h8, h12, h16, h18, h19)
• Palo Alto Networks PAN-OS 10.2.8, 10.2.9, 10.2.10 (various hotfix versions)
• Palo Alto Networks PAN-OS 11.1.4 (including h1, h4, h7 hotfixes)

Discovery Timeline

• November 14, 2024 - CVE-2024-2550 published to NVD
• January 24, 2025 - Last updated in NVD database

Technical Details for CVE-2024-2550

Vulnerability Analysis

This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption flaw that occurs when the GlobalProtect gateway service attempts to dereference a pointer that has not been properly initialized or has been set to NULL. When the service processes a malformed network packet, it fails to validate pointer references before use, causing the service to crash.

The attack requires no authentication and can be executed remotely over the network. The vulnerability specifically targets the GlobalProtect gateway, which handles VPN connections for remote users. When exploited, the service terminates unexpectedly, disconnecting all active VPN sessions. The most severe consequence occurs when an attacker repeatedly triggers the vulnerability—this can cause the entire firewall to enter maintenance mode, requiring manual administrative intervention to restore normal operations.

Root Cause

The root cause is insufficient validation of packet data before pointer dereferencing in the GlobalProtect gateway service. When processing incoming network traffic, the service fails to verify that certain data structures are properly initialized before attempting to access their memory addresses. This programming error allows a maliciously crafted packet to trigger a null pointer access, causing an unhandled exception that terminates the GlobalProtect service process.

Attack Vector

The attack is network-based and requires no user interaction or authentication. An attacker can exploit this vulnerability by:

1. Identifying a target firewall running the GlobalProtect gateway service
2. Crafting a malicious network packet designed to trigger the null pointer condition
3. Sending the packet directly to the GlobalProtect gateway endpoint
4. Observing the service crash and VPN session disconnections
5. Optionally, repeating the attack to force the firewall into maintenance mode

The exploitation does not provide data exfiltration or code execution capabilities, but the availability impact is significant for organizations relying on GlobalProtect for remote workforce connectivity.

Detection Methods for CVE-2024-2550

Indicators of Compromise

• Unexpected GlobalProtect service restarts or crashes in firewall logs
• Multiple VPN session disconnections occurring simultaneously without user action
• Firewall entering maintenance mode without scheduled maintenance windows
• Anomalous network packets targeting GlobalProtect gateway ports from external sources

Detection Strategies

• Monitor firewall system logs for GlobalProtect service crash events and null pointer exception errors
• Implement network intrusion detection rules to identify malformed packets targeting GlobalProtect services
• Configure SIEM alerts for patterns of repeated service restarts within short time windows
• Enable verbose logging on GlobalProtect gateway to capture packet processing failures

Monitoring Recommendations

• Establish baseline metrics for GlobalProtect service uptime and restart frequency
• Deploy network traffic analysis to identify unusual packet patterns targeting firewall management interfaces
• Configure automated alerts when firewalls enter maintenance mode unexpectedly
• Review firewall health dashboards for availability degradation trends

How to Mitigate CVE-2024-2550

Immediate Actions Required

• Update affected PAN-OS installations to patched versions as specified in the vendor advisory
• Review network access controls to limit exposure of GlobalProtect gateway services where possible
• Enable enhanced logging on GlobalProtect services to detect exploitation attempts
• Prepare incident response procedures for potential firewall maintenance mode scenarios

Patch Information

Palo Alto Networks has released security updates to address this vulnerability. Administrators should consult the Palo Alto Networks Security Advisory for specific patched version information and upgrade guidance. The vendor advisory provides detailed information about fixed releases for each affected PAN-OS version branch.

Workarounds

• Restrict network access to GlobalProtect gateway services using firewall rules where operationally feasible
• Implement rate limiting on connections to GlobalProtect endpoints to slow potential DoS attacks
• Configure high-availability (HA) pairs to minimize service disruption if one firewall is affected
• Consider deploying network-based intrusion prevention systems (IPS) to filter malicious packets before they reach the firewall