CISA Issues Warning on Active Exploitation of Additional Palo Alto Networks Vulnerabilities

November 14, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the active exploitation of two additional critical security vulnerabilities in the Expedition migration tool by Palo Alto Networks. The tool, which is used to migrate configurations from Checkpoint, Cisco, and other supported vendors, is being targeted by attackers who exploit the unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9465) vulnerabilities to gain unauthorized access to unpatched systems.

The first vulnerability, CVE-2024-9463, allows attackers to execute arbitrary operating system commands as the root user, revealing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. The second vulnerability, CVE-2024-9465, can be exploited to access the contents of the Expedition database, including password hashes, usernames, device configurations, and device API keys. It can also be used to create or read arbitrary files on vulnerable systems.

In response to these vulnerabilities, Palo Alto Networks has released security updates in Expedition 1.2.96 and later versions. The company recommends that administrators who are unable to immediately update the software restrict network access to the Expedition tool to authorized users, hosts, or networks.

In a security advisory published in early October, Palo Alto Networks stated, 'Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system.' The advisory also noted that these vulnerabilities do not affect its firewall, Panorama, Prisma Access, and Cloud NGFW products.

CISA has added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog and has ordered federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, in accordance with the binding operational directive (BOD 22-01).

Last week, CISA warned of another Expedition security flaw—a critical missing authentication vulnerability (CVE-2024-5910) patched in July that can let threat actors reset application admin credentials—actively abused in attacks. Proof-of-concept exploit code released by Horizon3.ai vulnerability researcher Zach Hanley last month can help chain CVE-2024-5910 with another command injection vulnerability (CVE-2024-9464) patched in October to gain 'unauthenticated' arbitrary command execution on vulnerable and Internet-exposed Expedition servers. CVE-2024-9464 can be chained with other Expedition flaws (also addressed last month) to take over firewall admin accounts and hijack unpatched PAN-OS firewalls.

Related News

• Palo Alto Networks Issues Alert on Potential PAN-OS Remote Code Execution Vulnerability
• CISA Issues Warning Over Exploitation of Critical Palo Alto Networks Vulnerability
• Palo Alto Networks Urges Customers to Patch Firewall Vulnerabilities

Latest News

• Critical Vulnerability Found in PostgreSQL PL/Perl: Varonis Issues Warning
• Russian Cybercriminals Exploit NTLM Flaw to Launch RAT Malware via Phishing Attacks
• Resurgence of China's Volt Typhoon Botnet: A Persistent Cybersecurity Threat
• End-of-Life D-Link NAS Devices Under Attack Due to Critical Bug
• OvrC Cloud Platform Flaws Open IoT Devices to Remote Attacks and Code Execution