Critical vulnerabilities in Palo Alto Expedition
Background
To facilitate the process of transferring configurations from different vendors to Palo Alto Networks’ PAN-OS, Expedition is an enhanced version of the Palo Alto Networks Migration Tool. The tool optimizes configurations and saves administrators a great deal of time by making these migrations simpler.
A number of critical vulnerabilities in Palo Alto Networks’ Expedition tool have been fixed with patches. If these flaws are not fixed, there could be serious security implications. These vulnerabilities give attackers the ability to run commands and obtain confidential data, such as user credentials, which may eventually result in the compromise of firewall administrator accounts.
Technical details:
A number of OS command injection vulnerabilities (CVE-2024-9463 and CVE-2024-9464) have been found in Expedition, allowing attackers, both authenticated and unauthenticated, to execute arbitrary OS commands as root. Sensitive information, including API keys and firewall credentials, is accessible due to this exposure. Furthermore, unauthenticated attackers can access Expedition’s database and retrieve crucial data, including password hashes and configuration details, due to the SQL injection vulnerability (CVE-2024-9465). They can even potentially copy arbitrary files to the server. In addition, attackers can leverage CVE-2024-9466 to obtain sensitive data from cleartext logs and CVE-2024-9467 to permit reflected XSS, which they can use to steal user sessions or launch phishing attacks. When combined, these vulnerabilities provide a serious risk that necessitates immediately patching and protecting Expedition instances.
CVE | Type | CVSS |
CVE-2024-9463 | OS command injection | 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N) |
CVE-2024-9464 | OS command injection | 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N) |
CVE-2024-9465 | SQL injection | 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N) |
CVE-2024-9466 | Cleartext storage of sensitive information | 8.2 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N) |
CVE-2024-9467 | Reflected XSS | 7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N) |
Zach Hanley, a researcher from Horizon3.ai, discovered three more critical vulnerabilities when looking at CVE-2024-5910, a previous admin credential reset flaw: CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466.
At first, CVE-2024-5910 permitted attackers to remotely reset administrator credentials because authentication checks were not performed. Hanley found that by obtaining administrator access, attackers may execute code remotely using files such as “CronJobs.php.” Subsequent analysis identified the “CHECKPOINT.php” SQL injection vulnerability, which allowed for unauthorized access to database information.
In order to enable unauthenticated command execution on susceptible Expedition servers, Hanley has published a Proof-of-Concept (PoC) exploit that combines the earlier admin reset vulnerability with the recently identified CVE-2024-9464 command injection weakness.
Additionally, a proof-of-concept (PoC) for the CVE-2024-9465 vulnerability is accessible on GitHub.
Affected versions:
The impact of these vulnerabilities on Expedition versions prior to 1.2.96 has been verified by Palo Alto Networks. Crucially, the company made it clear that Palo Alto’s firewalls, Panorama, Prisma Access, and Cloud NGFW products are unaffected by the issues.
Recommendations:
Upgrading to Expedition version 1.2.96 or above is advised. All vulnerabilities found have been fixed in this release.
The risk of exploitation can be reduced by implementing the following mitigation measures:
- Access Restrictions: Only authorized individuals and networks should be able to access the Expedition systems’ networks.
- Rotate Credentials: As soon as you upgrade, change all of your users, passwords, and API keys for Expedition, including firewall and device integrations.
- Monitor logs and verify IoCs: Look for indications of unauthorized activity by reviewing access logs for HTTP requests that are directed towards known susceptible endpoints, such as /OS/startup/restore/restoreAdmin.php and /bin/CronJobs.php. Furthermore, search the Expedition database for any unusual entries that would point to security breaches.
- Shutdown Unused Instances: To reduce exposure, turn off the Expedition program when it’s not in use.
The Palo Alto Networks advisory also notes that for CVE-2024-9465, you can run the following command on an Expedition system to check for potential indicators of compromise. Replace “root” with your username if different:
mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”
If records are returned, it could indicate a compromise. However, a lack of records does not necessarily confirm the system is secure.