PAN-OS Incorrect String Comparison in Decryption Exclusions
CVE-2024-3386 Published on April 10, 2024

PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended
An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.

NVD

Vulnerability Analysis

CVE-2024-3386 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

LOW

Availability Impact:

NONE

Timeline

2024-04-10

Initial publication

Weakness Type

Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.

Products Associated with CVE-2024-3386

Want to know whenever a new CVE is published for Palo Alto Networks PAN-OS? stack.watch will email you.

Palo Alto Networks PAN-OS

Affected Versions

Palo Alto Networks PAN-OS:

Version 9.0.0 and below 9.0.17-h2 is affected.
Version 9.1.0 and below 9.1.17 is affected.
Version 10.0.0 and below 10.0.13 is affected.
Version 10.1.0 and below 10.1.9-h3 is affected.
Version 10.1.0 and below 10.1.10 is affected.
Version 10.2.0 and below 10.2.4-h2 is affected.
Version 10.2.0 and below 10.2.5 is affected.
Version 11.0.0 and below 11.0.1-h2 is affected.
Version 11.0.0 and below 11.0.2 is affected.
Version 11.1.0 is unaffected.

Palo Alto Networks Cloud NGFW:

Version All is unaffected.

Palo Alto Networks Prisma Access:

Version All is unaffected.

palo_alto_networks cloud_ngfw:

Before * is unaffected.

palo_alto_networks prisma_access:

Before * is unaffected.

palo_alto_networks pan-os:

Version 9.0.0 and below 9.0.17-h2 is affected.
Version 9.1.0 and below 9.1.17 is affected.
Version 10.0.00 and below 10.0.13 is affected.
Version 10.1.0 and below 10.1.9-h3 is affected.
Version 10.1.0 and below 10.1.10 is affected.
Version 10.2.0 and below 10.2.4-h2 is affected.
Version 10.2.0 and below 10.2.5 is affected.
Version 11.0.0 and below 11.0.1-h2 is affected.
Version 11.0.0 and below 11.0.2 is affected.
Version 11.1.0 is affected.

Exploit Probability

EPSS

0.24%

Percentile

46.30%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

PAN-OS Incorrect String Comparison in Decryption ExclusionsCVE-2024-3386 Published on April 10, 2024

Vulnerability Analysis

Timeline

Weakness Type

Interpretation Conflict

Products Associated with CVE-2024-3386

Affected Versions

Exploit Probability

PAN-OS Incorrect String Comparison in Decryption Exclusions
CVE-2024-3386 Published on April 10, 2024