CISA warns of more Palo Alto Networks bugs exploited in attacks

CISA warned today that two more critical security vulnerabilities in Palo Alto Networks' Expedition migration tool are now actively exploited in the wild.

Attackers can use the two unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9465) vulnerabilities to hack into unpatched systems running the company's Expedition migration tool, which helps migrate configurations from Checkpoint, Cisco, and other supported vendors.

While CVE-2024-9463 allows attackers to run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, the second flaw can be exploited to access Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems.

Palo Alto Networks is shipping security updates addressing these issues in Expedition 1.2.96 and later. The company advises admins who can't immediately update the software to restrict Expedition network access to authorized users, hosts, or networks.

"Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system," Palo Alto Networks added in a security advisory published in early October that still needs to be updated to warn customers that attackers are exploiting these vulnerabilities in the wild.

"Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls."

"All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating," it added, saying that these security flaws do not affect its firewall, Panorama, Prisma Access, and Cloud NGFW products.

Federal agencies ordered to patch within three weeks

On Thursday, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, as required by the binding operational directive (BOD 22-01).

One week ago, the cybersecurity agency warned of another Expedition security flaw—a critical missing authentication vulnerability (CVE-2024-5910) patched in July that can let threat actors reset application admin credentials—actively abused in attacks.

Even though CISA has yet to provide more information on these ongoing attacks, proof-of-concept exploit code released by Horizon3.ai vulnerability researcher Zach Hanley last month can help chain CVE-2024-5910 with another command injection vulnerability (CVE-2024-9464) patched in October to gain "unauthenticated" arbitrary command execution on vulnerable and Internet-exposed Expedition servers.

CVE-2024-9464 can be chained with other Expedition flaws (also addressed last month) to take over firewall admin accounts and hijack unpatched PAN-OS firewalls.