Palo Alto Networks Security Advisories /PAN-SA-2024-0010PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account TakeoverUrgencyHIGHESTResponse EffortHIGHRecoveryUSERValue DensityCONCENTRATEDAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsNONEAutomatableNOUser InteractionNONEProduct ConfidentialityHIGHProduct IntegrityHIGHProduct AvailabilityHIGHPrivileges RequiredNONESubsequent ConfidentialityHIGHSubsequent IntegrityNONESubsequent AvailabilityNONEJSON Published2024-10-09 Updated2024-10-09ReferenceDiscoveredexternallyDescriptionMultiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.CVECVSSSummaryCVE-2024-94639.9(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.CVE-2024-94649.3(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.CVE-2024-94659.2(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N)An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.CVE-2024-94668.2(CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N)A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.CVE-2024-94677.0(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N)A reflected XSS vulnerability in Palo Alto Networks Expedition enables execution of malicious JavaScript in the context of an authenticated Expedition user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.Product StatusVersionsAffectedUnaffectedExpedition < 1.2.96>= 1.2.96Severity:CRITICALCVSSv4.0Base Score:9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of these issues.Weakness TypeCWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')CWE-532 Insertion of Sensitive Information into Log FileSolutionThe fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions.The cleartext file affected by CVE-2024-9466 will be removed automatically during the upgrade.All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition.All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating.Workarounds and MitigationsEnsure networks access to Expedition is restricted to authorized users, hosts, or networks.For CVE-2024-9465, you can check for an indicator of compromise with the following command on an Expedition system (replace "root" with your username if you are using a different username): mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"If you see any records returned, this indicates a potential compromise. Please note that if no records are returned, the system may still be compromised. This is only intended to indicate a potential compromise, rather than confirm a system has not been compromised.There are no practical indicators of compromise for the remainder of the CVEs in this advisory.AcknowledgmentsPalo Alto Networks thanks Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466.Palo Alto Networks thanks Enrique Castillo of Palo Alto Networks for discovering and reporting CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, and CVE-2024-9467.Timeline2024-10-09Initial publication
