Palo Alto Networks Issues Fix for Critical Vulnerabilities, Including CVE-2024-9463 (CVSS 9.9)

by do son · October 9, 2024

Palo Alto Networks recently issued a security advisory (PAN-SA-2024-0010) detailing several high-severity vulnerabilities affecting its Expedition migration tool, with CVSS scores ranging from 7.0 to 9.9. These flaws, if exploited, could lead to the takeover of firewall admin accounts, exposing sensitive information such as usernames, cleartext passwords, and API keys for PAN-OS firewalls.

The vulnerabilities discovered in Expedition are critical, especially for organizations relying on Palo Alto Networks firewalls. These flaws include OS command injection, SQL injection, and cleartext storage of sensitive information, making it possible for attackers to gain root access and steal confidential data.

CVE-2024-9463 (CVSS 9.9): An OS command injection vulnerability allowing an unauthenticated attacker to execute arbitrary OS commands as root, leading to the exposure of firewall usernames, passwords, and API keys.
CVE-2024-9464 (CVSS 9.3): A similar OS command injection vulnerability, but requiring authentication, allowing attackers to exploit Expedition and run OS commands as root.
CVE-2024-9465 (CVSS 9.2): An SQL injection vulnerability allowing unauthorized attackers to access Expedition’s database, revealing password hashes, usernames, and more.
CVE-2024-9466 (CVSS 8.2): A cleartext storage vulnerability that exposes firewall usernames and passwords, posing a significant risk if not mitigated.
CVE-2024-9467 (CVSS 7.0): A reflected XSS vulnerability that allows attackers to execute malicious JavaScript via phishing attacks.

Palo Alto Networks has released version 1.2.96 of Expedition, which addresses these vulnerabilities. The advisory recommends that all usernames, passwords, and API keys processed by Expedition be rotated after updating to this fixed version. It also suggests limiting network access to Expedition to authorized users to minimize the risk of exposure.

The company acknowledged researchers from Horizon3.ai and Palo Alto Networks who reported these vulnerabilities. Despite the severity of these issues, Palo Alto Networks states that they are “not aware of any malicious exploitation of these issues.”

Organizations using Palo Alto Networks Expedition should immediately upgrade to version 1.2.96 or later and rotate all relevant credentials. Failure to do so could result in unauthorized access to critical systems. For administrators looking to detect potential compromise linked to CVE-2024-9465, the advisory provides the following indicator of compromise (IoC) command:

mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"

If this command returns records, it may indicate a compromise of the system. However, Palo Alto Networks advises that this does not guarantee that a system is free from compromise if no records are returned.