Skip to content

Search the site

CISA: Critical Palo Alto Networks vulnerability exploited in the wild

Expedition, a migration tool, hit by bug that could allow attackers with network access to "access secrets, credentials, and other data".

A critical vulnerability in Palo Alto Networks' Expedition migration tool is being actively exploited, CISA has warned.

In July, the company patched CVE-2024-5910 in Expedition, which lets users shift their configuration from Checkpoint, Cisco, or any other vendor to PAN-OS, the software that runs all of Palo Alto Networks' next-generation firewalls.

Now it has been added to CISA's Known Exploited Vulnerability Catalog, which means that if you haven't updated already, you need to do so immediately by law. CISA's BOD-22-01 (Binding Operational Directive 22-01) requires vulns to be patched within two weeks.

It is not yet known whether the bug has been used in a ransomware campaign and CISA has not yet released details of any attacks.

"Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data," CISA warned.

"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable," it advised.

This issue is fixed in Expedition 1.2.92 and all later versions.

In its advisory, Pala Alto Networks wrote: "Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.

"Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue."

It added: "Palo Alto Networks is aware of reports from CISA that there is evidence of active exploitation for this CVE."

The company also offered mitigation advice: "Ensure networks access to Expedition is restricted to authorized users, hosts, or networks."

Synopsys Cybersecurity Research Center's Brian Hysell is credited with discovering and reporting the bug.

READ MORE: Special Forces hero Oz Alashe MBE on the demilitarisation of cybersecurity

Zach Hanley, a researcher with Horizon3.ai, shared a root cause analysis and indicators of compromise, discovering three other bugs along the way.

He added a PoC for one of the new vulnerabilities he unearthed to Github and claimed his exploit "chains the admin reset of CVE-2024-5910 to achieve unauthenticated arbitrary command execution."

The trio of vulns has been confirmed by Palo Alto Networks, which wrote the descriptions quoted below:

  • CVE-2024-9464, a Authenticated Command Injection bug which " allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.".
  • CVE-2024-9465, an Unauthenticated SQL Injection which "allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys" as well as allowing attackers to "create and read arbitrary files on the Expedition system.
  • CVE-2024-9466, a "cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials."

Discussing these three bugs, Palo Alto Networks wrote: "Palo Alto Networks is not aware of any malicious exploitation of these issues. Steps to reproduce this issue are publicly available."

Join peers following The Stack on LinkedIn

Latest