Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465)

Attackers have been spotted exploiting two additional vulnerabilities (CVE-2024-9463, CVE-2024-9465) in Palo Alto Networks’ Expedition firewall configuration migration tool, CISA has confirmed on Thursday.

CVE-2024-9463 CVE-2024-9465

About the vulnerabilities (CVE-2024-9463, CVE-2024-9465)

CVE-2024-9463 allows unauthenticated attackers to run arbitrary OS commands as root on vulnerable Expedition instances, leading to disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

CVE-2024-9465 – an SQL injection vulnerability – allows unauthenticated attackers to grab data from Expedition’s database (password hashes, usernames, device configurations, device API keys) and to create and read arbitrary files on vulnerable Expedition systems.

Both vulnerabilities have been patched by Palo Alto Networks in early October 2024, alongside several other flaws.

Among those is CVE-2024-9464, an authenticated command injection bug that could be chained with CVE-2024-5910 (missing authentication for a critical function) – as demonstrated by Horizon3.ai researchers.

CVE-2024-5910, a patch for which was provided by PAN in July 2024, is also being leveraged in the wild, CISA said last week. (Whether alone or in conjunction with any other flaw is currently unknown.)

What to do?

CISA adding CVE-2024-9463 and CVE-2024-9465 to its Known Exploited Vulnerabilities catalog means that US federal civilian agencies must remediate them within three weeks.

“Although [Binding Operational Directive (BOD) 22-01] only applies to [Federal Civilian Executive Branch] agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” the agency noted.

Palo Alto Networks advises admins to:

  • Upgrade Expedition installations to the latest available version
  • Rotate Expedition usernames, passwords, and API keys
  • Rotate firewall usernames, passwords, and API keys processed by Expedition
  • Ensure networks access to Expedition is restricted to authorized users, hosts, or networks
  • Shut down the software if not in use

Expedition should not be exposed to the internet, and generally isn’t: Censys recently searched for reachable Expedition instances, and found only 45 of them.

PAN firewalls under attack via unspecified zero-day RCE flaw

Last week Palo Alto urged customers to appropriately configure and secure access to firewall management interfaces exposed to the internet, as they observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of them.

“We do not have sufficient information about any indicators of compromise to share at this time. If the management interface was exposed to the Internet, we advise the customer to monitor for suspicious threat activity such as unrecognized configuration changes or users,” the company advised.

UPDATE (November 16, 2024, 10:35 a.m. ET):

Palo Alto has updated the security bulletin to include indicators of compromise related to these attacks: attackers’ IP addresses and the checksum of a webshell they observed getting dropped on compromised devices.

OPIS OPIS

OPIS

Don't miss