November 14, 2024 at 05:03PM
CISA has identified two critical vulnerabilities in Palo Alto Networks’ Expedition migration tool, now actively exploited: CVE-2024-9463 (unauthenticated command injection) and CVE-2024-9465 (SQL injection). Federal agencies must patch affected systems by December 5. Security updates are available in Expedition 1.2.96 and later, and user credentials should be rotated post-update.
**Meeting Takeaways:**
1. **Vulnerabilities Identified**: CISA reported two critical security vulnerabilities in Palo Alto Networks’ Expedition migration tool:
– CVE-2024-9463: Unauthenticated command injection allows attackers to execute arbitrary OS commands as root.
– CVE-2024-9465: SQL injection vulnerability enables access to Expedition database contents, including sensitive data.
2. **Potential Risks**:
– Exposed information includes usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls.
– Attackers can also create or read arbitrary files on compromised systems.
3. **Security Updates**:
– Palo Alto Networks has released security updates in Expedition version 1.2.96 and later.
– Admins unable to update immediately should restrict network access to authorized users, hosts, or networks.
4. **Post-Upgrade Recommendations**:
– All usernames, passwords, and API keys processed by Expedition should be rotated after upgrading to the patched version.
5. **Federal Response**:
– CISA has added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and mandated federal agencies to patch their Expedition servers by December 5, within three weeks.
6. **Related Vulnerabilities**:
– A previously reported vulnerability (CVE-2024-5910) can allow admin credential resets and is being actively exploited.
– A proof-of-concept exploit has been released that can chain multiple vulnerabilities for unauthorized command execution and take over firewall admin accounts.
7. **Impact on Other Products**: The identified vulnerabilities do not affect Palo Alto Networks’ firewall, Panorama, Prisma Access, and Cloud NGFW products.
Overall, organizations using the Expedition tool should prioritize updates and security measures to protect against these vulnerabilities.