A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday. These attacks followed last week's attacks that exploited flaws in similar software.
Attackers can exploit the unauthenticated command injection vulnerability (CVE-2024-9463) and the SQL injection vulnerability (CVE-2024-9465) to gain access to unpatched systems running the company's Expedition migration tool.
This tool allows users to migrate configurations from Checkpoint, Cisco, and other supported vendors to new systems.
CVE-2024-9463 is a vulnerability that allows attackers to run arbitrary commands as root on a PAN-OS firewall system, revealing usernames, cleartext passwords, device configurations, and device API keys. Secondly, a second vulnerability can be exploited to gain access to Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems by exploiting this vulnerability.
There is important information in CVE-2024-9474 that could lend itself to a chained attack scenario, potentially resulting in a high level of security breach. It should be noted that Palo Alto Networks has publicly acknowledged the CVE, but has not yet provided detailed technical information on the vulnerability's mechanics. This leaves room for speculation regarding what is causing the vulnerability.
A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion.
It was reported to CISA that CVE-2024-5910 had been added to the KEV catalog on Nov. 7 but the software vendor had originally disclosed the bug back in July.
To exploit this vulnerability, there needs to be authentication within the firewall deployment and management software. Without authentication, an administrator account can be taken over by getting access to the network. There is a CVSS score of 9.3 for the vulnerability, and it is also reported to Palo Alto Networks as PAN-SA-2024-0015, as well.
As a result, Palo Alto Networks has continuously monitored and worked with customers to identify and minimize the very few PAN-OS devices that have management web interfaces that are exposed to the Internet or other untrusted networks," the company stated in a separate report describing indicators of compromise for attacks that are targeting the vulnerability.
Although the company claims these zero-days are only impacting a "very small number" of firewalls, threat monitoring platform Shadowserver reported on Friday that it monitors more than 8,700 outside management interfaces for the PAN-OS operating system.
A Palo Alto Networks security advisory from early October states, "Several vulnerabilities have been identified in Palo Alto Networks Expedition that allow unauthorized access to the Expedition database and the arbitrary files on the system, as well as the ability to write arbitrary files to temporary storage locations."
In addition, the advisory stated that the firewall, Panorama, Prisma Access, and Cloud NGFW products are not affected by these vulnerabilities. Even though the two vulnerabilities have been added to CISA's Known Exploited Vulnerabilities Catalog, a binding operational directive (BOD 22-01) has compelled federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, to comply with the binding directive.
Earlier this week, CISA issued a warning about yet another Expedition security hole that is capable of allowing threat actors to reselect and reset the credentials for application administrators. The security flaw (CVE-2024-5910) was patched in July and has been actively exploited in attacks. In a proof-of-concept exploit released by Horizon3.ai researcher Zach Hanley last month, he demonstrated that CVE-2024-5910 can be chained with an additional command injection vulnerability (CVE-2024-9464), that was patched in October, to allow an attacker to execute arbitrary commands on vulnerable Expedition servers that are exposed to the Internet.
It has been noted that CVE-2024-9464 is linked to other Expedition security vulnerabilities that were also addressed last month. This may allow firewall admins to take over unpatched PAN-OS firewalls if they have not yet been patched.
As of now, there seems to be a hotfix available for those who are concerned about being exploited, and those who are concerned should upgrade their Expedition tool to version 1.2.96, or higher.
It has been recommended by Palo Alto Networks that, those users who are unable to install the Expedition patch immediately, should restrict access to the Expedition network to approved hosts and networks.
It is crucial to note that when a vulnerability is added to KEV, not only does it introduce the possibility of an attack that exploits that vulnerability, but also that federal agencies have a deadline to either patch it or stop utilizing the flawed solution entirely.
There is usually a deadline for that, which is 21 days from the time the bug is added to the bug-tracking system.
There has recently been an addition to KEV of CVE-2024-5910, a bug that is described as being missing for crooks who have access to networks.
This is Palo Alto Networks Expedition, a tool designed to simplify and automate the complexity of using Palo Alto Networks' next-generation firewalls by optimizing security policies that apply to them. In addition to making it easier for users to migrate from legacy firewall configurations to Palo Alto Networks' security platforms, users can also minimize errors and manual efforts.
The Palo Alto Networks (PAN) management interface has recently been redesigned to provide a more secure experience for users. A report claiming an unverified remote code execution vulnerability via the PAN-OS management interface prompted the company to release an information bulletin.
Those interested in knowing more about hardening network devices are urged to review PCA's recommendations for hardening network devices, and PCA's instructions for gaining access to scan results for the Organization's internet-facing management interfaces are discouraged from following them.