Palo Alto Networks Prisma SD-WAN ION Denial-of-Service Vulnerability via Crafted IPv6 Packet

A denial-of-service vulnerability has been identified in Palo Alto Networks Prisma SD-WAN ION devices. This vulnerability allows an unauthenticated attacker in a network adjacent to the affected device to disrupt system operations by sending a specially crafted IPv6 packet. The issue affects Prisma SD-WAN ION versions 6.5.1 prior to 6.5.3-b15, 6.4.1 prior to 6.4.3-b8, and 6.3.1 prior to 6.3.6-b10. Notably, versions 6.1 and 5.6 are unaffected.

Impact

Exploitation of this vulnerability leads to a significant disruption of system availability.

Remediation

Users can upgrade to Prisma SD-WAN 6.5.3-b15 or later, 6.4.3-b8 or later, or 6.3.6-b10 or later, depending on their current version. If using an on-prem version of Prisma SD-WAN ION 6.2.4, upgrade to version 6.2.4-b12. As a workaround, IPv6 can be disabled on SD-WAN ION devices if not needed.