PatchSiren cyber security CVE debrief
CVE-2024-3386 Siemens CVE debrief
An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.
- Vendor
- Siemens
- Product
- RUGGEDCOM APE1808
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2025-05-13
- Advisory published
- 2024-04-09
- Advisory updated
- 2025-05-13
Who should care
Organizations running Siemens RUGGEDCOM APE1808 devices with Palo Alto Networks Virtual NGFW, particularly those in industrial and operational technology environments relying on SSL/TLS decryption for threat detection. Security teams responsible for firewall policy management and OT/ICS network security should prioritize this fix. Network administrators should verify that decryption policies are functioning as intended and that traffic is not being inadvertently excluded from inspection.
Technical summary
CVE-2024-3386 is a vulnerability in Palo Alto Networks PAN-OS software where an incorrect string comparison prevents Predefined Decryption Exclusions from functioning correctly. The flaw causes unintended exclusion of traffic from decryption when that traffic is destined for domains not specified in the Predefined Decryption Exclusions list. This could allow encrypted traffic to bypass SSL/TLS inspection that would normally be decrypted and analyzed for threats. The vulnerability affects Siemens RUGGEDCOM APE1808 devices when configured with Palo Alto Networks Virtual NGFW. A fix is available in Palo Alto Networks Virtual NGFW V11.1.2-h3.
Defensive priority
medium
Recommended defensive actions
- Upgrade Palo Alto Networks Virtual NGFW to version V11.1.2-h3 or later. Contact customer support to receive patch and update information.
- Review SSL/TLS decryption policies to ensure traffic is being inspected as intended, particularly for domains that should not be excluded from decryption.
- Monitor for unexpected decryption exclusions in firewall logs that may indicate this vulnerability is being triggered.
- Apply defense-in-depth strategies for industrial control systems as recommended by CISA.
Evidence notes
The vulnerability stems from an incorrect string comparison in Palo Alto Networks PAN-OS software that affects the Predefined Decryption Exclusions feature. This flaw causes traffic to domains not explicitly listed in Predefined Decryption Exclusions to be inadvertently excluded from decryption, potentially allowing encrypted malicious traffic to bypass inspection. The issue was disclosed in CISA ICS Advisory ICSA-24-102-04 on April 9, 2024, and affects Siemens RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW.
Official resources
-
CVE-2024-3386 CVE record
CVE.org
-
CVE-2024-3386 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09