Palo Alto Networks has issued a critical warning to its customers, advising them to immediately patch security vulnerabilities in their PAN-OS firewalls that have publicly available exploit code, which could potentially be exploited by hackers to gain unauthorized access and control of the devices.
Palo Alto Networks’ Expedition solution has consistently exhibited issues when migrating configurations from various Check Point, Cisco, or supported vendors using its migration tool.
These vulnerabilities are frequently exploited by attackers seeking to gain unauthorized access to sensitive information, such as personal credentials, which can ultimately facilitate the takeover of critical systems like firewall admin accounts.
“A critical vulnerability exists within Palo Alto Networks’ Expedition platform, permitting unauthorized access to sensitive data and allowing attackers to read or write arbitrary records, including temporary storage areas, with severe consequences for affected systems.”
“Mixed together, this dataset includes a range of sensitive information such as usernames, cleartext passwords, system configurations, and system API keys from PAN-OS firewalls.”
Multiple vulnerabilities exist, including command injection, mirrored cross-site scripting, unsecured storage of sensitive information, inadequate authentication measures, and SQL injection flaws.
Proof-of-concept exploit obtainable
Zach Hanley, a Horizon3.ai vulnerability researcher, found and reported four vulnerabilities, including details on how he discovered three of these flaws while investigating the CVE-2024-5910 vulnerability, which allows attackers to reset Expedition utility administrative credentials.
Hanley exploited a novel combination of the CVE-2024-5910 administrative reset flaw and the CVE-2024-9464 command injection vulnerability, effectively enabling unauthenticated arbitrary command execution on vulnerable Expedition servers.
Palo Alto Networks reports that, for the second time, there is no evidence to suggest that the identified security vulnerabilities have been leveraged in actual attacks.
The solutions to these issues are outlined in Expedition 1.2.96 and subsequent versions of the software. The cleartext files vulnerable to CVE-2024-9466 should be promptly removed as part of ongoing security enhancements, according to Palo Alto Networks’ latest guidance.
“All Expedition usernames, passwords, and API keys must be promptly rotated following an upgrade to the latest version or ‘mounted’ model of Expedition.” All firewall usernames, passwords, and API keys processed by Expedition must be promptly rotated following any updates.
Administrators unable to immediately deploy safety updates at the present moment should restrict access to authorized users, hosts, and networks within the Expedition community.
By mid-April, the corporation was issuing emergency patches to address vulnerabilities in their PAN-OS firewall systems that had been targeted by a sophisticated nation-state threat actor (UTA0218) since March, allowing for unauthorized access and control.
