CVE-2024-3384 Overview
A vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.
Critical Impact
This vulnerability allows unauthenticated remote attackers to cause repeated firewall reboots, potentially forcing the device into maintenance mode and requiring manual recovery, resulting in extended network security gaps.
Affected Products
- Palo Alto Networks PAN-OS (multiple versions)
- PAN-OS version 9.1.15 and related versions
- PAN-OS firewalls configured to receive NTLM authentication packets
Discovery Timeline
- April 10, 2024 - CVE-2024-3384 published to NVD
- January 24, 2025 - Last updated in NVD database
Technical Details for CVE-2024-3384
Vulnerability Analysis
This vulnerability resides in the NTLM packet processing functionality within PAN-OS software. When PAN-OS firewalls receive specially crafted or malformed Windows NTLM authentication packets, the system fails to properly handle these packets, resulting in unexpected system behavior that triggers a device reboot.
The vulnerability is classified under CWE-1286 (Improper Validation of Syntactic Correctness of Input), indicating that the firewall does not adequately validate the structure and content of incoming NTLM packets before processing them. This improper validation allows malformed packets to reach vulnerable code paths that cannot safely handle the unexpected input.
The attack can be executed remotely over the network without requiring any prior authentication or user interaction, making it particularly dangerous for internet-facing PAN-OS deployments.
Root Cause
The root cause stems from improper validation of syntactic correctness of input (CWE-1286) in the NTLM packet processing routines within PAN-OS. When Windows servers send NTLM packets to affected PAN-OS firewalls, the system fails to properly sanitize or validate these packets before processing them. This inadequate input validation leads to an unhandled exception or error condition that triggers a system reboot as a protective mechanism.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying a vulnerable PAN-OS firewall accessible over the network
- Crafting or leveraging Windows NTLM packets that trigger the vulnerability
- Sending these packets to the target firewall repeatedly
- Each successful attack causes a firewall reboot
- Sustained attacks force the firewall into maintenance mode, requiring manual intervention to restore operation
The vulnerability is particularly concerning because the attack can be automated and repeated, allowing an attacker to maintain a persistent denial of service condition. Once the firewall enters maintenance mode, normal network security operations are disrupted until an administrator manually intervenes to restore the system.
Detection Methods for CVE-2024-3384
Indicators of Compromise
- Unexpected or frequent firewall reboots without administrative action
- PAN-OS firewall entering maintenance mode without scheduled maintenance
- Elevated volume of NTLM authentication traffic targeting the firewall
- System logs indicating abnormal termination or crash events related to NTLM processing
Detection Strategies
- Monitor PAN-OS system logs for unexpected reboot events and crash signatures
- Implement network traffic analysis to detect unusual patterns of NTLM packets directed at firewall management interfaces
- Configure SIEM alerting for multiple consecutive firewall restarts within a short time window
- Review authentication logs for anomalous NTLM traffic from unexpected sources
Monitoring Recommendations
- Enable detailed logging on PAN-OS devices to capture NTLM-related events and system state changes
- Deploy network monitoring solutions to baseline normal NTLM traffic patterns and alert on deviations
- Establish automated alerting for firewall availability to quickly detect DoS conditions
- Regularly review firewall health metrics and uptime statistics for anomalies
How to Mitigate CVE-2024-3384
Immediate Actions Required
- Review the Palo Alto Networks Security Advisory for specific affected versions and available patches
- Apply vendor-provided patches to all affected PAN-OS installations immediately
- Implement network segmentation to limit exposure of firewall management interfaces
- Consider temporary access restrictions for NTLM traffic if patching cannot be immediately performed
Patch Information
Palo Alto Networks has released security updates to address this vulnerability. Administrators should consult the official Palo Alto Networks security advisory for specific version information, patch availability, and upgrade paths. The advisory contains detailed guidance on which PAN-OS versions are affected and the recommended upgrade targets.
Workarounds
- Restrict network access to PAN-OS firewall management interfaces from untrusted networks
- Implement upstream filtering to block or rate-limit NTLM traffic from reaching vulnerable firewalls
- Configure monitoring and automated failover mechanisms to minimize downtime if exploitation occurs
- Consider deploying redundant firewall configurations to maintain network protection during potential attacks
# Example: Restrict management interface access (verify with Palo Alto documentation)
# Configure interface management profile to limit access sources
# set network interface ethernet1/1 ip-address <management-ip>
# set network profiles interface-management-profile <profile-name> permitted-ip <trusted-network>
# Monitor for unusual reboot patterns in PAN-OS logs
# Review system logs: Monitor > Logs > System
# Filter for: subtype eq 'system' and action eq 'reboot'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
