Palo Alto Networks addressed multiple vulnerabilities that an attacker can chain to hijack PAN-OS firewalls.
The vulnerabilities reside in the Palo Alto Networks’ Expedition solution, which is a migration tool designed to help organizations move configurations from other firewall platforms (like Check Point, Cisco, and others) to Palo Alto’s PAN-OS.
“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system.” reads the advisory. “Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.”
An attacker could exploit the flaws to access sensitive data, such as user credentials, and potentially take over firewall administrator accounts.
Below are the descriptions of the flaws addressed by the security firm:
The vulnerabilities impact Expedition versions prior to 1.2.96.
Researchers from Horizon3 discovered the flaws CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466 while investigating the vulnerability CVE-2024-5910, which was disclosed in July.
The experts shared a proof-of-concept exploit code that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 for unauthenticated command execution on Expedition servers.
Horizon3 also published IOCs (indicators of compromise).
Palo Alto also provided workarounds and mitigations for these flaws. The company reccoments to restrict network access to Expedition to authorized users and hosts. For CVE-2024-9465, check for potential compromise by running the command mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"
on an Expedition system. If records are returned, it indicates potential compromise, though a lack of records does not confirm safety.
Palo Alto is not aware of attacks in the wild exploiting these vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Palo Alto)