Palo Alto Networks Security Advisories / PAN-SA-2024-0010

PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials

Urgency MODERATE

047910
Severity 9.9 · CRITICAL
Exploit Maturity N/A
Response Effort HIGH
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity NONE
Subsequent Availability NONE

Description

Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW.

CVECVSSSummary
CVE-2024-94639.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
CVE-2024-94649.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
CVE-2024-94659.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N)An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
CVE-2024-94668.2 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N)A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.
CVE-2024-94677.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N)A reflected XSS vulnerability in Palo Alto Networks Expedition enables execution of malicious JavaScript in the context of an authenticated Expedition user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
Expedition < 1.2.96>= 1.2.96
PAN-OS NoneAll
Panorama NoneAll
Prisma Access NoneAll

Severity: CRITICAL, Suggested Urgency: MODERATE

CVSS-B: 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Amber)

Exploitation Status

Palo Alto Networks is aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465. More information can be found at https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog.

Weakness Type

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-532 Insertion of Sensitive Information into Log File

Solution

The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions.

The cleartext file affected by CVE-2024-9466 will be removed automatically during the upgrade.

All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition.

All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating.

Workarounds and Mitigations

Ensure networks access to Expedition is restricted to authorized users, hosts, or networks.

If Expedition is not in active use, ensure that Expedition software is shut down.

For CVE-2024-9465, you can check for an indicator of compromise with the following command on an Expedition system (replace "root" with your username if you are using a different username):

mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"

If you see any records returned, this indicates a potential compromise. Please note that if no records are returned, the system may still be compromised. This is only intended to indicate a potential compromise, rather than confirm a system has not been compromised.

There are no practical indicators of compromise for the remainder of the CVEs in this advisory.

Acknowledgments

Palo Alto Networks thanks Palo Alto Networks thanks Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466. and Palo Alto Networks thanks Enrique Castillo of Palo Alto Networks for discovering and reporting CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, and CVE-2024-9467. for discovering and reporting the issue.

Timeline

Updated Exploitation Status section with report from CISA
Clarified that firewalls, Panorama, Prisma Access, and Cloud NGFW are not affected
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.