Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467)

On November 14, 2024, Palo Alto Networks disclosed five critical vulnerabilities in its Expedition configuration migration tool, a solution designed to simplify the migration of firewall configurations from third-party vendors to Palo Alto Networks' PAN-OS infrastructure. These vulnerabilities—tracked as CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, and CVE-2024-9467—expose users to risks such as unauthorized access, data leakage, and system compromise. Two vulnerabilities (CVE-2024-9463 and CVE-2024-9465) have been reported as actively exploited in the wild, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Affected Products

The following versions of Palo Alto Networks Expedition are impacted by these vulnerabilities:

• Expedition: Versions prior to 1.2.96

Users running these versions are urged to upgrade to version 1.2.96 or later to secure their systems against exploitation (Palo Alto Networks Advisory, 2024).

Technical Details

These vulnerabilities result from multiple issues, including OS Command Injection, SQL Injection, improper storage of sensitive information, and Cross-Site Scripting (XSS). Below is a detailed breakdown of each CVE: CVE-2024-9463 - OS Command Injection (Unauthenticated)

• Severity: Critical (CVSS 9.9)
• Description: Allows an unauthenticated attacker to execute OS commands as root, exposing sensitive data such as usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls
• Exploitation Status: Actively exploited in the wild

CVE-2024-9464 - OS Command Injection (Authenticated)

• Severity: Critical (CVSS 9.3)
• Description: Allows an authenticated user to execute OS commands as root, potentially leading to unauthorized data access and exposure of credentials

CVE-2024-9465 - SQL Injection (Unauthenticated)

• Severity: Critical (CVSS 9.2)
• Description: Enables unauthenticated attackers to access Expedition database contents, including password hashes, usernames, and configurations, and to create or read arbitrary files on the system
• Exploitation Status: Actively exploited in the wild
• Indicator of Compromise (IoC): Use the following SQL command to identify potential compromise:

mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"

CVE-2024-9466 - Cleartext Storage of Sensitive Information

• Severity: High (CVSS 8.2)
• Description: Stores sensitive information (e.g., usernames, passwords, and API keys) in plaintext, making it accessible to authenticated users

CVE-2024-9467 - Reflected Cross-Site Scripting (XSS)

• Severity: High (CVSS 7.0)
• Description: Allows attackers to execute malicious JavaScript in the browser of an authenticated user, potentially leading to session theft or phishing attacks

Available Patches

Palo Alto Networks has issued patches to address all identified vulnerabilities. Users are advised to upgrade to Expedition version 1.2.96 or later, which resolves these issues. During the upgrade, the system automatically removes plaintext files associated with CVE-2024-9466.

Workarounds and Recommendations

For organizations unable to apply the patches immediately, the following mitigations can reduce exposure:

1. Restrict Access:
   • Limit network access to Expedition systems to authorized users, hosts, or networks only
   • If Expedition is not actively in use, disable it to minimize exposure
2. Credential Rotation:
   • Rotate all Expedition usernames, passwords, and API keys after upgrading
   • Similarly, rotate all credentials associated with PAN-OS firewalls that were processed by Expedition
3. Monitor Systems:
   • Implement enhanced logging and monitoring for unexpected access attempts or abnormal commands

The vulnerabilities in Palo Alto Networks Expedition pose significant risks to organizations using the tool for firewall configuration migration. With active exploitation of CVE-2024-9463 and CVE-2024-9465, Palo Alto Networks and CISA strongly advise immediate patching and the application of recommended security practices. Additionally, Centripetal’s CleanINTERNET® service can further protect networks by detecting and blocking malicious exploit attempts associated with CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467 through advanced threat intelligence and real-time traffic filtering. If you are a current client of Palo Alto and use their Networks Expedition Software please contact support@centripetal.ai. Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.