Multiple Vulnerabilities in Palo Alto Networks Expedition

Published on 12 Nov 2024

Palo Alto Networks has released security updates addressing multiple vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466 & CVE-2024-9467) affecting Palo Alto Networks Expedition solution. 

The vulnerabilities are: 

  • CVE-2024-9463: Successful exploitation of the Operating System (OS) command injection vulnerabilities allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewall. This vulnerability is highly likely to be exploited. 
  • CVE-2024-9464: Successful exploitation of the OS command injection vulnerabilities allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
  • CVE-2024-9465: Successful exploitation of the SQL injection vulnerability allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
  • CVE-2024-9466: Successful exploitation of the cleartext storage of sensitive information vulnerability allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.
  • CVE-2024-9467: Successful exploitation of the reflected XSS vulnerability enables execution of malicious JavaScript in the context of an authenticated Expedition user's browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.

Note: The critical vulnerability, CVE-2024-5910, in the Palo Alto Networks Expedition Migration Tool is currently being actively exploited. For more details on this, refer to the alert.

These vulnerabilities affect the following products:

  • Palo Alto Networks Expedition versions 1.2.96 and earlier

Users and administrators of affected product versions are advised to update to the latest version immediately.

Palo Alto Networks has advised users and administrators to block access from the Internet to their firewalls' PAN-OS management interface and to only allow connections from trusted internal IP addresses. For detailed instructions on securing management access, refer to Palo Alto network's Secure Management Access Guide.

More information is available here:

https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

https://nvd.nist.gov/vuln/detail/CVE-2024-9463

https://nvd.nist.gov/vuln/detail/cve-2024-9464

https://nvd.nist.gov/vuln/detail/cve-2024-9465

https://nvd.nist.gov/vuln/detail/cve-2024-9466

https://nvd.nist.gov/vuln/detail/cve-2024-9467

https://security.paloaltonetworks.com/PAN-SA-2024-0010

https://threatprotect.qualys.com/2024/10/11/palo-alto-networks-expedition-multiple-vulnerabilities-cve-2024-9463-cve-2024-9464-cve-2024-9465-cve-2024-9466-cve-2024-9467/