Palo Alto Networks on Wednesday pushed out patches for several serious flaws in its Expedition customer migration tool and warned that attackers can launch trivial exploits to take over firewall administrator accounts.
The vulnerabilities, discovered and documented by Horizon3.ai, open the door for attackers to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system.
According to a Palo Alto Networks bulletin, a successful attacker would have access to usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
The raw details on the patched vulnerabilities:
- CVE-2024-9463 (CVSS 9.9) – An OS command injection vulnerability allows an unauthenticated attacker to execute arbitrary OS commands as root, disclosing usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls.
- CVE-2024-9464 (CVSS 9.3) – An authenticated attacker can exploit an OS command injection vulnerability to run OS commands as root, resulting in the same data exposure as CVE-2024-9463.
- CVE-2024-9465 (CVSS 9.2) – An SQL injection vulnerability allows an unauthenticated attacker to access Expedition database contents, including usernames and password hashes. Attackers can also create and read arbitrary files on the system. Proof-of-concept code is publicly available for this flaw.
- CVE-2024-9466 (CVSS 8.2) – Cleartext storage of sensitive information vulnerability allows an authenticated attacker to reveal firewall usernames, passwords, and API keys.
- CVE-2024-9467 (CVSS 7.0) – A reflected XSS vulnerability enables malicious JavaScript execution in an authenticated user’s browser, facilitating phishing attacks and potential session theft.
The company said the vulnerabilities impact Expedition versions prior to 1.2.96.
In addition to patching, Palo Alto Networks is pushing customers to rotate all Expedition usernames, passwords, and API keys, as well as firewall usernames and passwords. The company said network access to Expedition should also should be restricted to authorized users, hosts, or networks.
Palo Alto Networks said it was not aware of any active exploitation of these vulnerabilities.
Horizon3.ai has published proof-of-concept code and IoCs (indicators of compromise) to help defenders pinpoint signs of infections.
Related: Microsoft Confirms Exploited Zero-Day in Windows Management Console
Related: Qualcomm Alerted to Possible Zero-Day Exploited in Targeted Attacks
Related: Palo Alto Networks Patches Critical Flaw in Cortex XSOAR
Related: Palo Alto Patches BlastRADIUS, Expedition Vulnerabilities