Critical Vulnerabilities in Palo Alto Networks Expedition Tool: What You Need to Know

Palo Alto Networks has recently issued a series of patches to address critical vulnerabilities in its Expedition tool, which, if left unaddressed, could expose organizations to severe security risks. These vulnerabilities allow attackers to execute commands and access sensitive data, including user credentials, potentially compromising firewall admin accounts. In this article, we will delve into the details of these vulnerabilities, their potential impact, and the necessary steps to secure your systems.

Understanding Palo Alto Networks Expedition

Expedition is an advanced version of the Palo Alto Networks Migration Tool, designed to facilitate the migration of configurations from various vendors to Palo Alto Networks’ PAN-OS. By streamlining these migrations, Expedition saves administrators significant time while optimizing configurations. However, the recent vulnerabilities have raised concerns about the security of this essential tool.

Details of the Vulnerabilities

Palo Alto Networks has disclosed five new vulnerabilities affecting Expedition, which could allow attackers to access sensitive information such as usernames, cleartext passwords, device configurations, and API keys for PAN-OS firewalls. The vulnerabilities include OS command injections, SQL injection, cleartext storage of credentials, and Cross-site Scripting (XSS). The most critical vulnerabilities are as follows:

• CVE-2024-9463 (CVSS 9.9): An unauthenticated attacker can execute OS commands as root, gaining access to sensitive data like usernames, cleartext passwords, and PAN-OS firewall API keys.

• CVE-2024-9464 (CVSS 9.3): This command injection flaw, exploitable by an authenticated user, allows attackers to run OS commands as root, leading to similar data exposure as CVE-2024-9463.

• CVE-2024-9465 (CVSS 9.2): An unauthenticated SQL injection vulnerability that provides access to the Expedition database, exposing usernames and password hashes, and allowing attackers to create and read files.

Additionally, two high-severity vulnerabilities are noted:

• CVE-2024-9466 (CVSS 8.2): Cleartext storage of sensitive data enables attackers to reveal usernames, passwords, and API keys.

• CVE-2024-9467 (CVSS 7.0): A reflected XSS flaw that allows malicious JavaScript execution, potentially leading to phishing attacks or session theft.

Discovery of the Flaws

The vulnerabilities were uncovered during an investigation of CVE-2024-5910, a previous admin credential reset flaw. Researcher Zach Hanley from Horizon3.ai discovered additional critical issues, including CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466. The original flaw allowed attackers to reset admin credentials remotely due to missing authentication checks. Upon gaining admin access, Hanley found that attackers could achieve remote code execution through files like “CronJobs.php.” Further investigation revealed an SQL injection flaw in “CHECKPOINT.php,” enabling unauthorized access to database data.

Hanley has released a Proof-of-Concept (PoC) exploit that combines the initial admin reset vulnerability with the newly discovered command injection flaw, allowing unauthenticated command execution on vulnerable Expedition servers. A PoC for CVE-2024-9465 is also available on GitHub.

Affected Versions of Expedition

Palo Alto Networks confirmed that these vulnerabilities impact Expedition versions earlier than 1.2.96. Importantly, the company clarified that the issues do not affect Palo Alto’s firewalls, Panorama, Prisma Access, or Cloud NGFW solutions. Users are urged to update to version 1.2.96 or later, where fixes for all identified vulnerabilities are included. During the upgrade, the cleartext file linked to CVE-2024-9466 will be automatically removed to mitigate risks.

Current Exploitation Status

As of now, Palo Alto Networks has confirmed that there is no evidence of these vulnerabilities being actively exploited in attacks. A Shodan search revealed that only 22 Expedition servers are exposed to the internet, which is relatively low, as the application typically does not need to be internet-facing. However, with publicly available PoC exploits, the risk of malicious use by threat actors is heightened, making timely patching essential to avoid exploitation.

Steps to Secure Your Systems

In light of these vulnerabilities, organizations must act swiftly to avoid breaches and prevent sensitive data exposure. Here are some recommended actions:

1. Update Expedition: Patch Expedition to version 1.2.96 or later to mitigate these critical vulnerabilities.

2. Rotate Credentials: Along with applying the updates, it is advisable to rotate all usernames, passwords, and API keys, as well as firewall credentials.

3. Restrict Network Access: Limit network access to authorized users, hosts, or networks. If Expedition is not in active use, consider shutting it down.

Indicators of Compromise (IOCs)

To identify potential exploitation of these vulnerabilities, inspect the file /var/apache/log/access.log for suspicious HTTP requests targeting the following endpoints:

• /OS/startup/restore/restoreAdmin.php (Resets admin credentials)
• /bin/Auth.php (Authenticates with reset credentials)
• /bin/CronJobs.php (Inserts malicious SQL data for command injection)
• /bin/configurations/parsers/Checkpoint/CHECKPOINT.php (Unauthenticated SQL injection)

For CVE-2024-9465, you can run the following command on an Expedition system to check for potential indicators of compromise (replace “root” with your username if different):

mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”

If records are returned, it could indicate a compromise; however, a lack of records does not necessarily confirm the system is secure.

For more details on the vulnerabilities and mitigation guidance, refer to the Palo Alto advisory and researchers’ technical write-up.

Conclusion

The recent vulnerabilities in Palo Alto Networks Expedition tool highlight the critical importance of timely patching and proactive security measures. Organizations must remain vigilant and take immediate action to secure their systems against potential threats. By staying informed and implementing best practices, businesses can protect their sensitive data and maintain the integrity of their network security.