CISA

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added two high-severity vulnerabilities affecting Palo Alto Networks Expedition to its Known Exploited Vulnerability (KEV) Catalog.

The two Palo Alto Networks vulnerabilities, which are actively being targeted by cybercriminals, are identified as CVE-2024-9463 and CVE-2024-9465; both have critical severity ratings and are known to be actively exploited in real-world attacks. Organizations using affected versions of Palo Alto Networks Expedition are urged to take immediate action to mitigate the risks.

The vulnerabilities in question—CVE-2024-9463 (OS Command Injection) and CVE-2024-9465 (SQL Injection)—impact Palo Alto Networks’ Expedition software, a tool for migrating and optimizing PAN-OS configurations. Both flaws have been assigned CVSSv4 scores of 9.9 and 9.2, respectively, signifying their high criticality.

These vulnerabilities could allow attackers to gain unauthorized access to sensitive data or execute arbitrary commands on affected systems, posing online risks to organizations’ security.

Details of Palo Alto Networks Vulnerabilities: CVE-2024-9463 and CVE-2024-9465

The first vulnerability, CVE-2024-9463, is a critical OS command injection flaw that affects Palo Alto Networks Expedition. Assigned a CVSSv4 score of 9.9, this vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected system.

If successfully exploited, this can compromise the integrity of the system, giving attackers the ability to disclose sensitive information. This includes usernames, cleartext passwords, device configurations, and API keys associated with PAN-OS firewalls, which are critical for securing network traffic.

Attackers exploiting this flaw can gain root access to these systems, making this vulnerability a prime target for those seeking to compromise firewall configurations and sensitive network data.

Another critical flaw, CVE-2024-9465, is a SQL injection vulnerability found in Expedition. This flaw, with a CVSSv4 score of 9.2, allows attackers to interact with and manipulate the system’s database, exposing sensitive information such as password hashes, usernames, and device configurations. Exploiting this vulnerability could give attackers the ability to create and read arbitrary files on the system, which increases the risk of a full system compromise.

Similar to CVE-2024-9463, the vulnerable version for CVE-2024-9465 is Expedition < 1.2.96. Additionally, proof-of-concept (PoC) exploits for this vulnerability have already been released to the public, escalating the risk of widespread attacks. As the PoC code is now accessible, it allows potential attackers to easily replicate the exploit and target vulnerable systems more efficiently.

Both CVE-2024-9463 and CVE-2024-9465 are critical vulnerabilities in the Expedition software suite. Organizations that are running versions of Expedition older than 1.2.96 are strongly advised to immediately update to the latest patched version. Given the severity and the ongoing active exploitation of these vulnerabilities, patching is crucial to protect sensitive information and maintain system security.

Cyble researchers have observed active exploitation of these flaws, with CVE-2024-9463 being particularly concerning due to its ability to grant attackers root-level access. This could result in a wide range of malicious activities, including data breaches, ransomware deployment, and unauthorized system modifications. Organizations should be particularly vigilant in monitoring their systems for signs of exploitation.

Recommendations and Mitigations

Palo Alto Networks has already released patches to address both vulnerabilities and organizations are urged to upgrade to Expedition version 1.2.96 or later. However, simply applying the patch may not be enough. The following mitigation strategies are recommended:

  • Organizations should immediately apply the latest patches released by Palo Alto Networks to close the vulnerabilities. Ensuring that systems are updated with the latest software versions will significantly reduce the risk of exploitation.

  • After upgrading to the fixed version of Expedition, all Expedition usernames, passwords, and API keys should be rotated to prevent attackers from using previously exposed credentials to access systems. Similarly, any firewall usernames, passwords, and API keys processed by Expedition should also be updated to maintain system security.

  • Organizations should implement comprehensive monitoring and logging solutions to detect suspicious activities. SIEM (Security Information and Event Management) tools can help organizations identify and respond to potential exploitation attempts in real-time.

  • Regular vulnerability assessments and penetration testing should be conducted to identify and address any other potential weaknesses. This proactive approach ensures that other unknown vulnerabilities are addressed.

  • Organizations should have a well-defined incident response and recovery plan in place, which includes procedures for detecting, responding to, and mitigating the effects of an attack. Regular testing and updates to the plan are crucial to ensure readiness against online threats.

Conclusion

The inclusion of CVE-2024-9463 and CVE-2024-9465 in CISA’s Known Exploited Vulnerabilities catalog highlights the urgent need for organizations to address these critical vulnerabilities in the Palo Alto Networks Expedition.

With active exploitation ongoing, it is important for organizations using vulnerable versions to prioritize patching and apply recommended security measures. Delaying action could lead to severe data breaches and system compromises.

References:

The post CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog appeared first on Cyble.