PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
Description
Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW.
| CVE | CVSS | Summary |
|---|---|---|
| CVE-2024-9463 | 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N) | An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. |
| CVE-2024-9464 | 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N) | An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. |
| CVE-2024-9465 | 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N) | An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system. |
| CVE-2024-9466 | 8.2 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N) | A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials. |
| CVE-2024-9467 | 7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N) | A reflected XSS vulnerability in Palo Alto Networks Expedition enables execution of malicious JavaScript in the context of an authenticated Expedition user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| Expedition | < 1.2.96 | >= 1.2.96 |
| PAN-OS | None | All |
| Panorama | None | All |
| Prisma Access | None | All |
Severity: CRITICAL
CVSSv4.0 Base Score: 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Amber)
Exploitation Status
Palo Alto Networks is aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465. More information can be found at https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog.
Weakness Type
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-532 Insertion of Sensitive Information into Log File
Solution
The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions.
The cleartext file affected by CVE-2024-9466 will be removed automatically during the upgrade.
All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition.
All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating.
Workarounds and Mitigations
Ensure networks access to Expedition is restricted to authorized users, hosts, or networks.
If Expedition is not in active use, ensure that Expedition software is shut down.
For CVE-2024-9465, you can check for an indicator of compromise with the following command on an Expedition system (replace "root" with your username if you are using a different username):
mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"If you see any records returned, this indicates a potential compromise. Please note that if no records are returned, the system may still be compromised. This is only intended to indicate a potential compromise, rather than confirm a system has not been compromised.
There are no practical indicators of compromise for the remainder of the CVEs in this advisory.
Acknowledgments
CPEs
cpe:2.3:a:paloaltonetworks:expedition:1.2.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.4:2:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.5:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.6:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.7:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.8:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.9:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:expedition:1.2.10:-:*:*:*:*:*:*