PAN-SA-2024-0006 Informational Bulletin: Expedition Installation Script Resets Root Password
Informational
Description
A hardcoded password in the Palo Alto Networks Expedition VM installation script may allow remote attackers to elevate their privileges to root access on Expedition VMs that are running Expedition, if not changed as per the installation instructions.
The updated version of the script no longer resets the password, eliminating the need to manually change the password after installation.
Additional information can be found in the Expedition installation guide and hardening guide, which recommend both changing the root password and using key-based SSH authentication: https://live.paloaltonetworks.com/t5/expedition-articles/expedition-documentation/ta-p/215619
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Expedition initSetup_v2.0 | < commit date 20240605 | >= commit date 20240605 |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-798 Use of Hard-coded Credentials
Solution
The password is no longer reset in the Expedition initSetup_v2.0 script with a commit date 20240605, and all later Expedition VM script versions. The commit date of the initSetup_v2 script (https://conversionupdates.paloaltonetworks.com/expedition1_Installer_latest.tgz) can be found at the top of the script as a comment.
If you installed Expedition before June 5, 2024 and did not change the root password after the installation concluded, you should verify the root password is what you expect.
Workarounds and Mitigations
This issue requires the remote attacker to know the password of the root account used in the Expedition VM. You can mitigate this issue by changing the default password of the Expedition VM to a password with industry standard complexity.