{"id":703,"date":"2024-10-11T01:45:53","date_gmt":"2024-10-11T01:45:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=703"},"modified":"2024-10-11T01:45:53","modified_gmt":"2024-10-11T01:45:53","slug":"admins-warned-to-update-palo-alto-networks-expedition-tool-immediately","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=703","title":{"rendered":"Admins warned to update Palo Alto Networks Expedition tool immediately"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Palo Alto Networks is warning administrators of six critical vulnerabilities in its Expedition configuration migration tool that have to be patched immediately.<\/p>\n

Multiple vulnerabilities allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system, the company said in a security advisory this week.<\/a><\/p>\n

Expedition<\/a> lets admins migrate their firewall configurations from other vendors\u2019 products \u2014 including those from Cisco Systems<\/a> \u2014 to a Palo Alto Networks product, so data at risk includes usernames, cleartext passwords, device configurations, and device API keys of firewalls running Palo Alto\u2019s PAN-OS operating system.<\/p>\n

The vulnerabilities don\u2019t directly affect Panorama, Prisma Access, or Cloud NGFW firewalls. But Palo Alto Networks still gives the vulnerabilities a CVSS base score of 9.9, given the sensitivity of the information that can be stolen. So far the company says it\u2019s not aware of any malicious exploitation of the flaws.<\/p>\n

The fixes are available in Expedition 1.2.96 and later.<\/p>\n

All Expedition usernames, passwords and API keys should be rotated after upgrading to the fixed version of the application, the company said. In addition, all firewall usernames, passwords, and API keys processed by Expedition should be rotated after the update.<\/p>\n

If Expedition can\u2019t be immediately updated, admins should make sure network access to the tool is restricted to authorized users, hosts, or networks until the new version is installed.<\/p>\n

Expedition is usually deployed on a Ubuntu server and accessed through a web service. Admins using it for integration add each needed system\u2019s credentials, according to researchers at Horizon3.ai, who discovered four of the vulnerabilities.<\/p>\n

The vulnerabilities are:<\/p>\n

CVE-2024-9463, a command injection vulnerability that allows an unauthenticated attacker to run arbitrary commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls;<\/p>\n

CVE-2024-9464, which is an almost identical hole;<\/p>\n

CVE-2024-9465, an SQL injection vulnerability<\/a>;<\/p>\n

CVE-2024-9466, a cleartext storage vulnerability;<\/p>\n

CVE-2024-9467, a reflected cross-site scripting (XSS) vulnerability<\/a> that enables execution of malicious JavaScript in an authenticated Expedition user\u2019s browser if they click on a malicious link;<\/p>\n

CVE-2024-5910, a missing authentication hole that could lead to admin account takeover.<\/p>\n

This last flaw was initially discovered by researchers at Horizon3.ai<\/a>, who then went on to find three more. In a blog, the researchers said they stumbled across it by using Google to search for \u201cpalo alto expedition reset admin password.\u201d They found that a simple PHP request to an endpoint over the web service reset the admin password. While getting admin access to Expedition didn\u2019t by itself allow reading of all stored credentials, because many files were stored in a directory used as the web root, they hunted for and found a way to exploit their access.<\/p>\n

At the time of writing about their discovery this week, the Horizon3 researchers had found only 23 Expedition servers exposed to the internet, which, they said, was logical because it isn\u2019t a tool that needs to be exposed.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Palo Alto Networks is warning administrators of six critical vulnerabilities in its Expedition configuration migration tool that have to be patched immediately. Multiple vulnerabilities allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system, the company said in a security […]<\/p>\n","protected":false},"author":0,"featured_media":609,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-703","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/703"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=703"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/703\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/609"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}