Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Palo Alto Patches Critical Firewall Takeover Vulnerabilities

Palo Alto warns that attackers can access usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Palo Alto Networks

Palo Alto Networks on Wednesday pushed out patches for several serious flaws in its Expedition customer migration tool and warned that attackers can launch trivial exploits to take over firewall administrator accounts. 

The vulnerabilities, discovered and documented by Horizon3.ai, open the door for attackers to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. 

According to a Palo Alto Networks bulletin, a successful attacker would have access to usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

The raw details on the patched vulnerabilities:

  • CVE-2024-9463 (CVSS 9.9) – An OS command injection vulnerability allows an unauthenticated attacker to execute arbitrary OS commands as root, disclosing usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls.
  • CVE-2024-9464 (CVSS 9.3) – An authenticated attacker can exploit an OS command injection vulnerability to run OS commands as root, resulting in the same data exposure as CVE-2024-9463.
  • CVE-2024-9465 (CVSS 9.2) – An SQL injection vulnerability allows an unauthenticated attacker to access Expedition database contents, including usernames and password hashes. Attackers can also create and read arbitrary files on the system. Proof-of-concept code is publicly available for this flaw.
  • CVE-2024-9466 (CVSS 8.2) – Cleartext storage of sensitive information vulnerability allows an authenticated attacker to reveal firewall usernames, passwords, and API keys.
  • CVE-2024-9467 (CVSS 7.0) – A reflected XSS vulnerability enables malicious JavaScript execution in an authenticated user’s browser, facilitating phishing attacks and potential session theft.

The company said the vulnerabilities impact Expedition versions prior to 1.2.96. 

In addition to patching, Palo Alto Networks is pushing customers to rotate all Expedition usernames, passwords, and API keys, as well as firewall usernames and passwords. The company said network access to Expedition should also should be restricted to authorized users, hosts, or networks.

Palo Alto Networks said it was not aware of any active exploitation of these vulnerabilities. 

Horizon3.ai has published proof-of-concept code and IoCs (indicators of compromise) to help defenders pinpoint signs of infections.

Related: Microsoft Confirms Exploited Zero-Day in Windows Management Console

Advertisement. Scroll to continue reading.

Related: Qualcomm Alerted to Possible Zero-Day Exploited in Targeted Attacks

Related: Palo Alto Networks Patches Critical Flaw in Cortex XSOAR

Related: Palo Alto Patches BlastRADIUS, Expedition Vulnerabilities

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.