Pierluigi Paganini October 10, 2024

Palo Alto fixed critical flaws in PAN-OS firewalls, warning that attackers could chain these vulnerabilities to hijack the devices.

Palo Alto Networks addressed multiple vulnerabilities that an attacker can chain to hijack PAN-OS firewalls.

The vulnerabilities reside in the Palo Alto Networks’ Expedition solution, which is a migration tool designed to help organizations move configurations from other firewall platforms (like Check Point, Cisco, and others) to Palo Alto’s PAN-OS.

“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system.” reads the advisory. “Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.”

An attacker could exploit the flaws to access sensitive data, such as user credentials, and potentially take over firewall administrator accounts.

Below are the descriptions of the flaws addressed by the security firm:

• CVE-2024-9463 (CVSS 9.9) – A command injection vulnerability in Palo Alto Networks’ Expedition allows unauthenticated attackers to execute OS commands as root, exposing usernames, passwords, configurations, and API keys of PAN-OS firewalls.
• CVE-2024-9464 (CVSS 9.3) – An authenticated OS command injection vulnerability allows attackers root access, leading to data exposure similar to CVE-2024-9463.
• CVE-2024-9465 (CVSS 9.2) – An SQL injection vulnerability in Palo Alto’s Expedition allows unauthenticated attackers to access database contents, including password hashes and device configurations, and create or read files on the system.
• CVE-2024-9466 (CVSS 8.2) – A vulnerability in Palo Alto Networks Expedition allows authenticated attackers to access sensitive information, revealing firewall usernames, passwords, and API keys stored in cleartext.
• CVE-2024-9467 (CVSS 7.0) – A reflected XSS vulnerability allows malicious JavaScript to execute in an authenticated user’s browser, leading to phishing attacks and potential session theft.

The vulnerabilities impact Expedition versions prior to 1.2.96. 

Researchers from Horizon3 discovered the flaws CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466 while investigating the vulnerability CVE-2024-5910, which was disclosed in July.

The experts shared a proof-of-concept exploit code that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 for unauthenticated command execution on Expedition servers.

Horizon3 also published IOCs (indicators of compromise).

Palo Alto also provided workarounds and mitigations for these flaws. The company reccoments to restrict network access to Expedition to authorized users and hosts. For CVE-2024-9465, check for potential compromise by running the command mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;" on an Expedition system. If records are returned, it indicates potential compromise, though a lack of records does not confirm safety.

Palo Alto is not aware of attacks in the wild exploiting these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Palo Alto)