Pierluigi Paganini November 15, 2024
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Networks Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
Last week, Palo Alto Networks addressed multiple vulnerabilities that an attacker can chain to hijack PAN-OS firewalls.
The vulnerabilities reside in the Palo Alto Networks’ Expedition solution, which is a migration tool designed to help organizations move configurations from other firewall platforms (like Check Point, Cisco, and others) to Palo Alto’s PAN-OS.
“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system.” reads the advisory. “Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.”
An attacker could exploit the flaws to access sensitive data, such as user credentials, and potentially take over firewall administrator accounts.
Below are the descriptions of the flaws addressed by the security firm:
The vulnerabilities impact Expedition versions prior to 1.2.96.
Researchers from Horizon3 discovered the flaws CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466 while investigating the vulnerability CVE-2024-5910, which was disclosed in July.
The experts shared a proof-of-concept exploit code that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 for unauthenticated command execution on Expedition servers.
Horizon3 also published IOCs (indicators of compromise).
Palo Alto also provided workarounds and mitigations for these flaws. The company reccoments to restrict network access to Expedition to authorized users and hosts. For CVE-2024-9465, check for potential compromise by running the command mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"
on an Expedition system. If records are returned, it indicates potential compromise, though a lack of records does not confirm safety.
Palo Alto is not aware of attacks in the wild exploiting these vulnerabilities.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by December 5, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Palo Alto Networks Expedition)