Overview
Palo Alto has released a security bulletin regarding a high-severity denial-of-service (DoS) vulnerability (CVE-2024-3393) affecting the DNS Security feature in PAN-OS next-generation firewalls (NGFWs). This issue only impacts PAN-OS systems with DNS Security logging enabled. DNS Security is an optional subscription designed to safeguard against DNS-based threats on PAN-OS devices.
This vulnerability has a maximum CVSSv4 score of 8.7. Exploitation could allow an unauthenticated attacker to send a crafted packet to the firewall, causing it to reboot upon processing. If exploited repeatedly, the firewall could enter maintenance mode.
Sophos has issued a critical advisory to address three vulnerabilities in its Sophos Firewall, including two rated as critical and one as high severity.
- CVE-2024-12727 (CVSSv3 9.8): This pre-authentication SQL injection vulnerability in the email protection feature could enable remote code execution (RCE) and access to the reporting database. It affects firewalls configured with Secure PDF eXchange (SPX) enabled and running in High Availability mode.
- CVE-2024-12728 (CVSSv3 9.8): This vulnerability involves weak credentials, where the default and non-random Secure Shell (SSH) login passphrase for High Availability mode remains active after initialisation, potentially exposing a privileged system account.
- CVE-2024-12729 (CVSSv3 8.8): This code injection flaw in the User Portal could allow an authenticated attacker to execute arbitrary code.
The Apache Software Foundation has announced two security updates addressing critical vulnerabilities in Apache Tomcat, a widely used open-source implementation of the Jakarta EE platform that facilitates a Java-based HTTP web server environment.
On 17 December 2024, Apache released details of CVE-2024-50379, a Time-of-Check Time-of-Use (TOCTOU) Race Condition vulnerability. With a CVSSv3 score of 9.8, this flaw could allow an unauthenticated attacker to achieve remote code execution (RCE) under specific circumstances, namely when the default servlet is configured to permit write operations (a non-default setting) on case-insensitive file systems. On December 20, 2024, Apache published a follow-up advisory noting that the mitigation for CVE-2024-50379 was incomplete. The new vulnerability, designated CVE-2024-56337, requires additional steps to fully secure affected systems, especially based on the Java version paired with Tomcat.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Palo Alto Networks – Security Advisory
Sophos – Security Advisory
Apache Software Foundation – Apache Pony Mail
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.