{"id":872,"date":"2024-11-15T15:23:08","date_gmt":"2024-11-15T15:23:08","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=872"},"modified":"2024-11-15T15:23:08","modified_gmt":"2024-11-15T15:23:08","slug":"cisos-who-delayed-patching-palo-alto-vulnerabilities-now-face-real-threat","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=872","title":{"rendered":"CISOs who delayed patching Palo Alto vulnerabilities now face real threat"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Two of six critical vulnerabilities in Palo Alto Networks\u2019 Expedition Migration tool, which the company patched<\/a> in October, are being actively exploited according to the US Cybersecurity and Infrastructure Security Agency.<\/p>\n

CISA has now added the two vulnerabilities \u2014 CVE-2024-9463<\/a> and CVE-2024-9465<\/a> \u2014 to its known exploited vulnerabilities (KEV) catalog, putting CISOs who ignored last month\u2019s warnings to patch the Palo Alto flaws<\/a> on notice that their systems are now under threat.<\/p>\n

A day after the CISA alert<\/a>, the cybersecurity giant, which previously maintained a \u201cno-zero-day\u201d exploitation status on the bugs, updated its advisory to reflect the increased threat.<\/p>\n

\u201cPalo Alto Networks is aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465,\u201d Palo Alto Networks said in the update.<\/p>\n

The vulnerabilities could allow theft of usernames, cleartext passwords, and more on buggy instances of Expedition, a tool that enables admins to migrate their firewall configurations from other vendors\u2019 products to a Palo Alto Networks product.<\/p>\n

Bugs enable admin credentials disclosure<\/h2>\n

CVE-2024-9463 and CVE-2024-9465 are command injection vulnerabilities enabling unauthenticated attackers to execute arbitrary OS-level commands as root and SQL commands on database in Expedition, respectively.<\/p>\n

Attackers can use the flaws to read usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. The flaws can also enable the creation and reading of arbitrary files on Expedition systems as the attackers gain access to the Expedition database.<\/p>\n

Both CVE-2024-9463 and CVE-2024-9465 have been assigned critical ratings with CVSS base scores of 9.9\/10 and 9.2\/10, respectively. Both the flaws are patched in Expedition 1.2.96 and later versions.<\/p>\n

While CISA did not add technical details of the exploitation, it ordered federal agencies to patch buggy Expedition servers by the end of November 2024, as per the binding operational directive (BOD 22-01<\/a>) for critical vulnerabilities.<\/p>\n

\u201cPalo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet,\u201d Palo Alto Networks said in another advisory<\/a> update, adding \u201cWe do not have sufficient information about any indicators of compromise to share at this time.\u201d<\/p>\n

If a compromise is feared, customers are advised to monitor for suspicious activity such as unrecognised configuration changes or users.<\/p>\n

As additional workarounds, all Expedition and firewall usernames, passwords, and API keys must be rotated, Expedition software should be shut down in inactivity, and network access to Expedition must be restricted to authorised users, hosts, or networks, the company added.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Two of six critical vulnerabilities in Palo Alto Networks\u2019 Expedition Migration tool, which the company patched in October, are being actively exploited according to the US Cybersecurity and Infrastructure Security Agency. CISA has now added the two vulnerabilities \u2014 CVE-2024-9463 and CVE-2024-9465 \u2014 to its known exploited vulnerabilities (KEV) catalog, putting CISOs who ignored last […]<\/p>\n","protected":false},"author":0,"featured_media":869,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/872"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=872"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/872\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/869"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}