The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Thursday regarding the active exploitation of two critical security vulnerabilities in Palo Alto Networks’ Expedition migration tool.
For those unaware, Palo Alto Networks Expedition is a tool that helps migrate configurations from third-party security vendors such as Checkpoint, Cisco, and others to Palo Alto Network.
The two new flaws are an unauthenticated command injection bug (CVE-2024-9463) and an SQL injection flaw (CVE-2024-9465).
The first flaw, CVE-2024-9463 (CVSS score: 9.9), is an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
On the other hand, the second flaw, CVE-2024-9465 (CVSS score: 9.2), is an SQL injection vulnerability in Palo Alto Networks Expedition.
This vulnerability allows an unauthenticated attacker to disclose Expedition database contents, such as password hashes, usernames, device configurations, and device API keys.
Attackers can also use this to create and read arbitrary files on the Expedition system.
“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW,” Palo Alto Networks wrote in a security advisory published in early October.
The company has updated this security advisory to include the following: “Palo Alto Networks is aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465.”
Palo Alto Networks has released security updates in Expedition 1.2.96 and all later versions to address the above vulnerabilities.
The company recommends that admins unable to update the software immediately restrict network access to Expedition to authorized users, hosts, or networks.
Additionally, the CISA added the new two flaws to its Known Exploited Vulnerabilities (KEV) catalog on Thursday and mandated that federal agencies patch Palo Alto Networks Expedition servers on their networks by December 5, in line with the Binding Operational Directive (BOD 22-01).