CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Palo Alto Patches Critical Firewall Takeover Vulnerabilities

Palo Alto warns that attackers can access usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Palo Alto Networks

Palo Alto Networks on Wednesday pushed out patches for several serious flaws in its Expedition customer migration tool and warned that attackers can launch trivial exploits to take over firewall administrator accounts. 

The vulnerabilities, discovered and documented by Horizon3.ai, open the door for attackers to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. 

According to a Palo Alto Networks bulletin, a successful attacker would have access to usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

The raw details on the patched vulnerabilities:

  • CVE-2024-9463 (CVSS 9.9) – An OS command injection vulnerability allows an unauthenticated attacker to execute arbitrary OS commands as root, disclosing usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls.
  • CVE-2024-9464 (CVSS 9.3) – An authenticated attacker can exploit an OS command injection vulnerability to run OS commands as root, resulting in the same data exposure as CVE-2024-9463.
  • CVE-2024-9465 (CVSS 9.2) – An SQL injection vulnerability allows an unauthenticated attacker to access Expedition database contents, including usernames and password hashes. Attackers can also create and read arbitrary files on the system. Proof-of-concept code is publicly available for this flaw.
  • CVE-2024-9466 (CVSS 8.2) – Cleartext storage of sensitive information vulnerability allows an authenticated attacker to reveal firewall usernames, passwords, and API keys.
  • CVE-2024-9467 (CVSS 7.0) – A reflected XSS vulnerability enables malicious JavaScript execution in an authenticated user’s browser, facilitating phishing attacks and potential session theft.

The company said the vulnerabilities impact Expedition versions prior to 1.2.96. 

In addition to patching, Palo Alto Networks is pushing customers to rotate all Expedition usernames, passwords, and API keys, as well as firewall usernames and passwords. The company said network access to Expedition should also should be restricted to authorized users, hosts, or networks.

Palo Alto Networks said it was not aware of any active exploitation of these vulnerabilities. 

Horizon3.ai has published proof-of-concept code and IoCs (indicators of compromise) to help defenders pinpoint signs of infections.

Related: Microsoft Confirms Exploited Zero-Day in Windows Management Console

Advertisement. Scroll to continue reading.

Related: Qualcomm Alerted to Possible Zero-Day Exploited in Targeted Attacks

Related: Palo Alto Networks Patches Critical Flaw in Cortex XSOAR

Related: Palo Alto Patches BlastRADIUS, Expedition Vulnerabilities

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.