Pierluigi Paganini November 15, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Networks Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
• CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

Last week, Palo Alto Networks addressed multiple vulnerabilities that an attacker can chain to hijack PAN-OS firewalls.

The vulnerabilities reside in the Palo Alto Networks’ Expedition solution, which is a migration tool designed to help organizations move configurations from other firewall platforms (like Check Point, Cisco, and others) to Palo Alto’s PAN-OS.

“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system.” reads the advisory. “Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.”

An attacker could exploit the flaws to access sensitive data, such as user credentials, and potentially take over firewall administrator accounts.

Below are the descriptions of the flaws addressed by the security firm:

• CVE-2024-9463 (CVSS 9.9) – A command injection vulnerability in Palo Alto Networks’ Expedition allows unauthenticated attackers to execute OS commands as root, exposing usernames, passwords, configurations, and API keys of PAN-OS firewalls.
• CVE-2024-9464 (CVSS 9.3) – An authenticated OS command injection vulnerability allows attackers root access, leading to data exposure similar to CVE-2024-9463.
• CVE-2024-9465 (CVSS 9.2) – An SQL injection vulnerability in Palo Alto’s Expedition allows unauthenticated attackers to access database contents, including password hashes and device configurations, and create or read files on the system.
• CVE-2024-9466 (CVSS 8.2) – A vulnerability in Palo Alto Networks Expedition allows authenticated attackers to access sensitive information, revealing firewall usernames, passwords, and API keys stored in cleartext.
• CVE-2024-9467 (CVSS 7.0) – A reflected XSS vulnerability allows malicious JavaScript to execute in an authenticated user’s browser, leading to phishing attacks and potential session theft.

The vulnerabilities impact Expedition versions prior to 1.2.96. 

Researchers from Horizon3 discovered the flaws CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466 while investigating the vulnerability CVE-2024-5910, which was disclosed in July.

The experts shared a proof-of-concept exploit code that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 for unauthenticated command execution on Expedition servers.

Horizon3 also published IOCs (indicators of compromise).

Palo Alto also provided workarounds and mitigations for these flaws. The company reccoments to restrict network access to Expedition to authorized users and hosts. For CVE-2024-9465, check for potential compromise by running the command mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;" on an Expedition system. If records are returned, it indicates potential compromise, though a lack of records does not confirm safety.

Palo Alto is not aware of attacks in the wild exploiting these vulnerabilities.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by December 5, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Palo Alto Networks Expedition)