Palo Alto Networks Firewalls, Expedition Under Attack
Summary:
On November 14, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of two critical vulnerabilities in Palo Alto Networks' Expedition firewall configuration migration tool: CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, with CVSS scores of 9.9 and 9.3 respectively, pose significant risks to affected systems. CVE-2024-9463 is an OS command injection flaw that allows unauthenticated attackers to execute arbitrary OS commands as root on vulnerable Expedition instances. Exploitation could lead to the disclosure of sensitive information, including usernames, cleartext passwords, device configurations, and API keys for PAN-OS firewalls. CVE-2024-9465, an SQL injection vulnerability, enables attackers to access Expedition’s database, extracting critical data such as password hashes and usernames, while also allowing them to create and read arbitrary files on the system.
Security Officer Comments:
Both vulnerabilities were patched by Palo Alto Networks on October 9, 2024, alongside several other flaws, including CVE-2024-5910, a missing authentication issue for a critical function that has also been actively exploited in the wild. CISA has added CVE-2024-9463 and CVE-2024-9465 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that US Federal Civilian Executive Branch (FCEB) agencies remediate these issues by December 5, 2024. While the extent and specifics of the exploitation remain unclear, evidence of their active use highlights the importance of mitigation.
Suggested Corrections:
CISA adding CVE-2024-9463 and CVE-2024-9465 to its Known Exploited Vulnerabilities catalog means that US federal civilian agencies must remediate them within three weeks.
Palo Alto Networks advises admins to:
Hardening Guidance:
https://www.cisa.gov/news-events/alerts/2024/11/13/palo-alto-networks-emphasizes-hardening-guidance
Link(s):
https://www.helpnetsecurity.com/2024/11/15/cve-2024-9463-cve-2024-9465/
https://security.paloaltonetworks.com/PAN-SA-2024-0010
https://www.cisa.gov/news-events/al...s-two-known-exploited-vulnerabilities-catalog
On November 14, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of two critical vulnerabilities in Palo Alto Networks' Expedition firewall configuration migration tool: CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, with CVSS scores of 9.9 and 9.3 respectively, pose significant risks to affected systems. CVE-2024-9463 is an OS command injection flaw that allows unauthenticated attackers to execute arbitrary OS commands as root on vulnerable Expedition instances. Exploitation could lead to the disclosure of sensitive information, including usernames, cleartext passwords, device configurations, and API keys for PAN-OS firewalls. CVE-2024-9465, an SQL injection vulnerability, enables attackers to access Expedition’s database, extracting critical data such as password hashes and usernames, while also allowing them to create and read arbitrary files on the system.
Security Officer Comments:
Both vulnerabilities were patched by Palo Alto Networks on October 9, 2024, alongside several other flaws, including CVE-2024-5910, a missing authentication issue for a critical function that has also been actively exploited in the wild. CISA has added CVE-2024-9463 and CVE-2024-9465 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that US Federal Civilian Executive Branch (FCEB) agencies remediate these issues by December 5, 2024. While the extent and specifics of the exploitation remain unclear, evidence of their active use highlights the importance of mitigation.
Suggested Corrections:
CISA adding CVE-2024-9463 and CVE-2024-9465 to its Known Exploited Vulnerabilities catalog means that US federal civilian agencies must remediate them within three weeks.
Palo Alto Networks advises admins to:
- Upgrade Expedition installations to the latest available version
- Rotate Expedition usernames, passwords, and API keys
- Rotate firewall usernames, passwords, and API keys processed by Expedition
- Ensure networks access to Expedition is restricted to authorized users, hosts, or networks
- Shut down the software if not in use
Hardening Guidance:
https://www.cisa.gov/news-events/alerts/2024/11/13/palo-alto-networks-emphasizes-hardening-guidance
Link(s):
https://www.helpnetsecurity.com/2024/11/15/cve-2024-9463-cve-2024-9465/
https://security.paloaltonetworks.com/PAN-SA-2024-0010
https://www.cisa.gov/news-events/al...s-two-known-exploited-vulnerabilities-catalog