Palo Alto Networks is warning administrators of six critical vulnerabilities in its Expedition configuration migration tool that have to be patched immediately.
Multiple vulnerabilities allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system, the company said in a security advisory this week.
Expedition lets admins migrate their firewall configurations from other vendors’ products — including those from Cisco Systems — to a Palo Alto Networks product, so data at risk includes usernames, cleartext passwords, device configurations, and device API keys of firewalls running Palo Alto’s PAN-OS operating system.
The vulnerabilities don’t directly affect Panorama, Prisma Access, or Cloud NGFW firewalls. But Palo Alto Networks still gives the vulnerabilities a CVSS base score of 9.9, given the sensitivity of the information that can be stolen. So far the company says it’s not aware of any malicious exploitation of the flaws.
The fixes are available in Expedition 1.2.96 and later.
All Expedition usernames, passwords and API keys should be rotated after upgrading to the fixed version of the application, the company said. In addition, all firewall usernames, passwords, and API keys processed by Expedition should be rotated after the update.
If Expedition can’t be immediately updated, admins should make sure network access to the tool is restricted to authorized users, hosts, or networks until the new version is installed.
Expedition is usually deployed on a Ubuntu server and accessed through a web service. Admins using it for integration add each needed system’s credentials, according to researchers at Horizon3.ai, who discovered four of the vulnerabilities.
The vulnerabilities are:
- CVE-2024-9463, a command injection vulnerability that allows an unauthenticated attacker to run arbitrary commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls;
- CVE-2024-9464, which is an almost identical hole;
- CVE-2024-9465, an SQL injection vulnerability;
- CVE-2024-9466, a cleartext storage vulnerability;
- CVE-2024-9467, a reflected cross-site scripting (XSS) vulnerability that enables execution of malicious JavaScript in an authenticated Expedition user’s browser if they click on a malicious link;
- CVE-2024-5910, a missing authentication hole that could lead to admin account takeover.
This last flaw was initially discovered by researchers at Horizon3.ai, who then went on to find three more. In a blog, the researchers said they stumbled across it by using Google to search for “palo alto expedition reset admin password.” They found that a simple PHP request to an endpoint over the web service reset the admin password. While getting admin access to Expedition didn’t by itself allow reading of all stored credentials, because many files were stored in a directory used as the web root, they hunted for and found a way to exploit their access.
At the time of writing about their discovery this week, the Horizon3 researchers had found only 23 Expedition servers exposed to the internet, which, they said, was logical because it isn’t a tool that needs to be exposed.