What vulnerabilities were disclosed in Palo Alto Networks' Expedition tool?

The vulnerabilities disclosed by Horizon3.ai include CVE-2024-9463 (OS command injection), CVE-2024-9464 (authenticated OS command injection), CVE-2024-9465 (SQL injection), CVE-2024-9466 (cleartext storage of sensitive information), and CVE-2024-9467 (reflected XSS). These flaws affect Expedition versions prior to 1.2.96, allowing attackers to gain control over administrator accounts, access sensitive configuration data, and execute commands with root privileges.

Which Expedition versions are affected by the disclosed vulnerabilities?

The disclosed vulnerabilities affect Expedition versions prior to 1.2.96. Palo Alto Networks has released patches for these issues, and users are advised to update to version 1.2.96 or later to secure their systems.

What are the risks associated with the CVE-2024-9463 and CVE-2024-9464 vulnerabilities?

CVE-2024-9463 is an OS command injection vulnerability that enables unauthenticated attackers to execute commands with root privileges on the Expedition system, potentially exposing usernames, cleartext passwords, API keys, and firewall configurations. CVE-2024-9464 is similar but requires authentication, allowing attackers to execute commands as root, leading to similar data exposure risks.

What actions should users of Palo Alto Networks' Expedition tool take?

Users of the Expedition tool should update to version 1.2.96 or later to address the disclosed vulnerabilities. Additionally, they should rotate usernames, passwords, and API keys used in the Expedition system and restrict network access to authorized users only. This will help mitigate the risk of unauthorized access to sensitive configuration data.

Is there any evidence of active exploitation of the Expedition vulnerabilities?

As of the time of disclosure, there is no evidence of active exploitation of the Expedition vulnerabilities. However, the availability of proof-of-concept (PoC) code for CVE-2024-9465 makes it critical for users to promptly apply the patches to secure their systems.

Advisory

Palo Alto Patches critical flaws in Expedition tool exposing firewall credentials

Q: What is the purpose of Palo Alto Networks' Expedition tool?

Expedition is a migration tool developed by Palo Alto Networks to streamline the process of transferring firewall configurations from other platforms, such as Cisco and Check Point, to Palo Alto's PAN-OS. It helps organizations reduce the complexity and effort involved in migrating their firewall settings.

published: Oct. 9, 2024

Take action: If you are using Palo Alto Expedition, isolate access to it only from trusted networks, patch it ASAP and rotate credentials and API keys. There are multiple critical flaws, so delays are pointless.

Learn More

Palo Alto Networks has released patches addressing multiple critical vulnerabilities in its Expedition tool, which is used for customer migration processes. Expedition is a migration tool that helps organizations streamline the process of transferring firewall configurations from other platforms, such as Cisco and Check Point, to Palo Alto's PAN-OS. Its purpose is to simplify and reduce the effort involved in migrating configurations,

These vulnerabilities, disclosed by Horizon3.ai allow potential attackers to gain control over firewall administrator accounts and access sensitive configuration data.

The critical flaws affect Expedition versions prior to 1.2.96 and include:

CVE-2024-9463 (CVSS score 9.9) - This OS command injection vulnerability enables an unauthenticated attacker to execute commands with root privileges on the Expedition system. This could result in access to usernames, cleartext passwords, API keys, and device configurations of PAN-OS firewalls.
CVE-2024-9464 (CVSS score 9.3) - An authenticated attacker can leverage this OS command injection flaw to execute commands as root, leading to similar data exposure as CVE-2024-9463.
CVE-2024-9465 (CVSS score 9.2) - This SQL injection vulnerability allows unauthenticated attackers to access Expedition's database contents, which include usernames and password hashes. Attackers can also create or read arbitrary files on the system, with proof-of-concept code for exploitation made publicly available.
CVE-2024-9466 (CVSS score 8.2) - This flaw involves cleartext storage of sensitive information, making it possible for authenticated attackers to access firewall usernames, passwords, and API keys.
CVE-2024-9467 (CVSS score 7.0) - A reflected cross-site scripting (XSS) vulnerability could allow malicious JavaScript execution within an authenticated user’s browser, potentially enabling phishing attacks or session hijacking.

These vulnerabilities can be exploited with low complexity, especially since they can provide attackers with access to critical firewall settings and administrative controls and one has an available PoC

Palo Alto Networks advises all customers to update to Expedition version 1.2.96 or later. They also recommend rotating Expedition usernames, passwords, and API keys, and restricting network access to authorized users only.

While there is no evidence of active exploitation at the time of the disclosure, the availability of proof-of-concept code makes it crucial for users to patch their systems.

Palo Alto Patches critical flaws in Expedition tool exposing firewall credentials

Read More
Cisco reports high-severity flaw affecting Firepower Management Center
CISA reports active expploit of Sierra Wireless Router …
Zyxel releases patch multiple flaws, one citical enabling …
Critical authentication bypass flaw reported in Nokia's CBIS …
Critical zero-day flaw reported in XSpeeder devices