Emerging Security Issue: Multiple Palo Alto Networks Expedition PAN-OS Firewalls Vulnerabilities

What are CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, and CVE-2024-9467? 

On October 9th, 2024, five vulnerabilities were disclosed by Palo Alto Networks:

• CVE-2024-9463 (9.9 critical): This OS command injection vulnerability allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls
• CVE-2024-9464 (9.3 critical): This OS command injection vulnerability gives authenticated attackers the ability to run arbitrary OS commands as root in Expedition
• CVE-2024-9465 (9.2 critical): This SQL injection vulnerability reveals Expedition database contents to unauthenticated users, including password hashes, usernames, device configurations, and device API keys.
• CVE-2024-9466 (8.2 high): Researchers identified sensitive information stored in cleartext in Palo Alto Networks Expedition that allow an authenticated attacker to access firewall usernames, passwords, and API keys. 
• CVE-2024-9467 (7.0 high): This reflected XSS vulnerability allows attackers to leverage malicious links to execute malicious JavaScript on an authenticated Expedition user’s browser. 

These vulnerabilities affect Palo Alto Networks Expedition, a tool that manages configuration migration from supported vendors to Palo Alto Networks systems

What assets are affected by these vulnerabilities?

These flaws affect Expedition versions before 1.2.96, allowing both authenticated and unauthenticated attackers to read database contents, files, and write arbitrary files. Successful exploitation can result in exposed sensitive information like usernames, passwords, and API keys. 

Palo Alto Networks Cloud NGFW, PAN-OS, Panorama, and Prisma Access are unaffected by the issues above. 

Are fixes available? 

Updating to Expedition version 1.2.96 or later fixes all five issues. Updating also removes the cleartext file affected by CVE-2024-9466. 

Are there any other actions to take? 

Instead of or in addition to applying the patches above, organizations can also restrict access to affected assets, limiting network access to authorized users, hosts or networks, to protect key resources. 

Palo Alto Networks also recommends rotating all usernames, passwords, and API keys for Expedition and for any firewalls processed by Expedition.

Are these issues being actively exploited? 

Though active exploitation has not been reported, the severity and ease of exploitation pose significant risks and steps to reproduce the issues above are publicly available.  

How is CyCognito helping customers identify assets vulnerable to these issues? 

CyCognito has integrated an active test for CVE-2024-9463 and has not detected any affected assets in customer environments. While Expedition assets are not typically externally exposed, users can check if their assets may be vulnerable using provided filters in the CyCognito platform. All customers have access to an in-platform emerging security issue announcement as of October 14th, 2024.  

Figure 1: The alert sent by CyCognito for CVE-2024-7594

How can CyCognito help your organization? 

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.