Palo Alto Networks has released security updates addressing multiple vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466 & CVE-2024-9467) affecting Palo Alto Networks Expedition solution.
The vulnerabilities are:
- CVE-2024-9463: Successful exploitation of the Operating System (OS) command injection vulnerabilities allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewall. This vulnerability is highly likely to be exploited.
- CVE-2024-9464: Successful exploitation of the OS command injection vulnerabilities allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
- CVE-2024-9465: Successful exploitation of the SQL injection vulnerability allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
- CVE-2024-9466: Successful exploitation of the cleartext storage of sensitive information vulnerability allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.
- CVE-2024-9467: Successful exploitation of the reflected XSS vulnerability enables execution of malicious JavaScript in the context of an authenticated Expedition user's browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.
Note: The critical vulnerability, CVE-2024-5910, in the Palo Alto Networks Expedition Migration Tool is currently being actively exploited. For more details on this, refer to the alert.
These vulnerabilities affect the following products:
- Palo Alto Networks Expedition versions 1.2.96 and earlier
Users and administrators of affected product versions are advised to update to the latest version immediately.
Palo Alto Networks has advised users and administrators to block access from the Internet to their firewalls' PAN-OS management interface and to only allow connections from trusted internal IP addresses. For detailed instructions on securing management access, refer to Palo Alto network's Secure Management Access Guide.
More information is available here:
https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
https://nvd.nist.gov/vuln/detail/CVE-2024-9463
https://nvd.nist.gov/vuln/detail/cve-2024-9464
https://nvd.nist.gov/vuln/detail/cve-2024-9465
https://nvd.nist.gov/vuln/detail/cve-2024-9466
https://nvd.nist.gov/vuln/detail/cve-2024-9467
https://security.paloaltonetworks.com/PAN-SA-2024-0010
https://threatprotect.qualys.com/2024/10/11/palo-alto-networks-expedition-multiple-vulnerabilities-cve-2024-9463-cve-2024-9464-cve-2024-9465-cve-2024-9466-cve-2024-9467/