CVE-2024-3382: PAN-OS: Firewall Denial of Service (DoS) via a Burst of Crafted Packets
A memory leak exists in Palo Alto Networks PAN-OS software that enables an attacker to send a burst of crafted packets through the firewall that eventually prevents the firewall from processing traffic. This issue applies only to PA-5400 Series devices that are running PAN-OS software with the SSL Forward Proxy feature enabled.
Security readout for executives and security teams
Plain-English summary
This issue can let an unauthenticated network attacker disrupt an affected Palo Alto firewall by causing a memory leak with crafted traffic. The result is availability loss: the firewall can eventually stop processing traffic. The source bundle limits impact to PA-5400 Series devices running PAN-OS with SSL Forward Proxy enabled.
Executive priority
Treat as high priority where PA-5400 firewalls inspect critical traffic with SSL Forward Proxy enabled. The business risk is outage or degraded network security enforcement, not data theft. Scope first, then follow vendor remediation guidance.
Technical view
CVE-2024-3382 is a PAN-OS memory leak categorized as CWE-770. CVSS 3.1 is 7.5, driven by network reachability, low complexity, no privileges, no user interaction, and high availability impact. Cloud NGFW and Prisma Access are listed as unaffected in the provided source bundle.
Likely exposure
Exposure appears narrow: PA-5400 Series appliances running PAN-OS version families listed in the bundle and using SSL Forward Proxy. Internet-edge, data-center, or egress inspection deployments would carry the most operational risk if traffic disruption would affect critical services.
Exploitation context
The bundle does not show CISA KEV status and provides no evidence of active exploitation. The attack scenario is denial of service, not confidentiality or integrity compromise. The attacker must send crafted packets through the firewall path where the vulnerable feature is active.
Researcher notes
Evidence is limited to the supplied CVE and vendor reference. Do not assume broader PAN-OS platform impact beyond the stated PA-5400 and SSL Forward Proxy condition. No public exploit activity is supported by the bundle.
Mitigation direction
Inventory PA-5400 Series firewalls and PAN-OS versions.
Confirm whether SSL Forward Proxy is enabled on each device.
Review Palo Alto Networks guidance for fixed releases or supported mitigations.
Prioritize remediation for firewalls protecting critical traffic paths.
Monitor memory pressure and traffic-processing health until remediated.
Validation and detection
Check asset inventory for PA-5400 Series devices.
Verify PAN-OS versions against the vendor advisory.
Confirm SSL Forward Proxy configuration status.
Review logs and telemetry for repeated memory growth or traffic-processing failures.
Document Cloud NGFW and Prisma Access as unaffected if applicable.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-770: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-770 · source CWE mapping
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.