• Vulnerable U
  • Posts
  • Series of Bugs in Palo Alto Expedition Grant Full Access

Series of Bugs in Palo Alto Expedition Grant Full Access

Author

Newsroom
October 10, 2024

“We find that a simple request to that exact endpoint over the web service resets the admin password.” - Well, I don’t like the sound of that…

There are vulnerabilities and then there are Vulnerabilities. Palo Alto Networks this week released fixes for a set of bugs that can only be described as the most capital of capital V Vulnerabilities in its Expedition app: an unauthenticated OS command injection bug, an unauthenticated SQL injection bug, and the storage of credentials in cleartext in the logs. 

Researchers from Horizon3’s Attack Team, which is one of the premier offensive security research groups, decided to take a look at a separate vulnerability that PAN patched in July (CVE-2024-5910), which involved missing authentication for a specific function in Expedition.

While they were digging into that bug, the team discovered several other issues with the app–which is used to migrate configurations from other supported vendors into PAN products. 

CVEs Involved: CVE-2024-9464, CVE-2024-9465, CVE-2024-9466

Why It Matters: By combining the effects of these vulnerabilities, an attacker could not only access the Expedition database, but also write arbitrary files to the Expedition system. The attacker would have access to cleartext passwords, device configurations, and API keys for the PAN-OS firewalls. Edge security devices are extremely common and valuable targets for attackers and the disclosure of this set of vulnerabilities likely will draw even more attention to PAN’s devices. 

Key Details

  • CVE-2024-9464 is an OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

  • CVE-2024-9465 is an SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

  • CVE-2024-9466 is a cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.

Vendor Response: PAN released fixes for these three flaws, as well as two others (CVE-2024-9463 and CVE-2024-9467) on Wednesday. The fixed version of Expedition is 1.2.96.

Further Reading