Palo Alto

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday alerted federal agencies regarding active exploitation of a critical missing authentication vulnerability in Palo Alto Networks’ Expedition, a tool widely used by administrators for firewall migration and configuration management.

This flaw, designated CVE-2024-5910, has been actively exploited by attackers since its patch release in July, underscoring the urgency for immediate remediation.

Expedition is a popular migration tool designed to assist administrators in transitioning firewall configurations from vendors such as Check Point and Cisco to Palo Alto’s PAN-OS. However, due to a missing authentication mechanism, this tool now presents a significant risk for compromised credentials and potentially severe network intrusions.

What is CVE-2024-5910 Vulnerability

The CVE-2024-5910 vulnerability in Palo Alto Networks’ Expedition tool is a missing authentication flaw, which allows an attacker with network access to exploit the vulnerability and take over an admin account.

Once exploited, attackers can potentially gain access to sensitive configuration secrets, credentials, and other data stored within the tool. This flaw carries a critical CVSSv4.0 base score of 9.3.

According to Palo Alto Networks, only Expedition versions below 1.2.92 are vulnerable, while all versions from 1.2.92 and onward are protected against this flaw. As CISA emphasized, the lack of authentication on such a critical function poses severe security risks, especially for government and enterprise environments relying on Expedition for firewall migration and tuning.

Technical Details and Vulnerability Summary

  • Vulnerability: CVE-2024-5910 (Missing Authentication for Critical Function)
  • Severity: CRITICAL (CVSSv4.0 Score: 9.3)
  • Affected Versions: Expedition versions below 1.2.92
  • Unaffected Versions: Expedition 1.2.92 and later
  • Weakness Type: CWE-306, Missing Authentication for Critical Function
  • Impact: Admin account takeover, access to sensitive configuration data, potential firewall control

Likely Reason for Exploitation of CVE-2024-5910

Although Palo Alto Networks initially released a patch in July to fix CVE-2024-5910, the exploitation attempts likely escalated when security researcher Zach Hanley from Horizon3.ai released a proof-of-concept (PoC) in October.

This PoC showed how CVE-2024-5910 admin reset vulnerability could be chained with another command injection vulnerability – CVE-2024-9464. This combination allows for unauthenticated, arbitrary command execution on vulnerable Expedition servers, enabling attackers to execute commands remotely.

This chained vulnerability scenario magnifies the risk, as attackers can exploit the admin reset vulnerability to ultimately compromise PAN-OS firewall admin accounts, providing full control over firewall configurations and potentially allowing access to sensitive network areas.

CISA’s Known Exploited Vulnerabilities Catalog Update

Adding to the urgency, CISA has included CVE-2024-5910 in its Known Exploited Vulnerabilities (KEV) Catalog. This addition mandates all U.S. federal agencies to secure vulnerable Expedition servers against potential attacks by November 28. This move underscores the federal directive for securing essential digital infrastructure against known vulnerabilities, especially those that facilitate admin credential resets and remote command execution.

Recommendations and Mitigations

To secure systems against this exploit, it is strongly recommended that administrators:

  1. Upgrade Expedition to Version 1.2.92 or Later: This release addresses CVE-2024-5910 and subsequent vulnerabilities, providing a robust safeguard against admin account takeover and unauthorized access.
  2. Rotate All Credentials Post-Upgrade: After updating to the latest version, administrators should rotate all Expedition usernames, passwords, and API keys. Additionally, all firewall usernames, passwords, and API keys processed through Expedition should be reset to prevent any potential misuse of compromised credentials.
  3. Restrict Network Access: As a mitigating measure, organizations unable to immediately apply the patch should restrict network access to Expedition servers to authorized users and hosts only. Network segmentation and access control lists (ACLs) should be employed to limit exposure.

Conclusion

The exploitation of CVE-2024-5910 exemplifies the persistent challenge organizations face in securing digital tools that facilitate network management and firewall configuration. Regular patching, vigilant credential management, and access control are fundamental to safeguarding critical infrastructure against similar vulnerabilities.

With CISA actively monitoring this threat and urging patching compliance, addressing this vulnerability is essential not only for regulatory compliance but for maintaining network security integrity.

By upgrading to the latest version of Expedition and implementing the outlined mitigations, organizations can strengthen their defenses against these specific exploits and prevent unauthorized access to network configurations.

Sources:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-5910&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=

https://security.paloaltonetworks.com/CVE-2024-5910

https://github.com/horizon3ai/CVE-2024-9464

The post CISA Finds Palo Alto Networks’ CVE-2024-5910 Exploited in the Wild appeared first on Cyble.