On November 8th, 2024, Palo Alto Networks issued a threat advisory confirming that they had observed threat actors actively exploiting an unauthenticated remote code execution (RCE) vulnerability. Since this update, the Cybersecurity and Infrastructure Security Agency (CISA) has disclosed two more critical vulnerabilities in the cybersecurity vendor’s Expedition software.
What Happened?
According to CISA and Palo Alto’s advisory, the November 8th vulnerability impacts instances of the PAN-OS firewall management software that are exposed to the Internet. While the company’s advisory claims it has only seen exploitation on a “limited number of firewall management interfaces,” the cybersecurity provider did not disclose details on how it was discovered or how it was being exploited.
In an additional advisory from November 14th, which contains a report from CISA, Palo Alto Networks addressed five high and critical vulnerabilities in their Expedition customer migration software, a solution approaching End of Life in January 2025. The vendor also confirmed that these vulnerabilities do not impact Palo Alto’s firewalls, Panorama, Prisma Access, and Cloud NGFW solutions.
CVE-2024-9463 and CVE-2024-9464 are OS command injection vulnerabilities that allow an unauthenticated threat actor to run arbitrary OS commands as root, allowing them to exfiltrate usernames, passwords in clear text, device configuration and PAN-OS firewall API keys.
The remaining vulnerabilities (CVE-2024-9465 through 9467) are SQL injection and XSS vulnerabilities that give attackers access to password hashes, usernames, device configurations and API keys that they can exploit to create and read arbitrary files. Attackers can also use XSS to run malicious JavaScript and launch phishing attacks. Finally, one of the High vulnerabilities reveals firewall usernames, passwords, and associated API keys.
Mitigation Steps
CyberQP has collected the following action steps for any help desks using vulnerable Palo Alto Networks solutions:
- Restrict access to your PAN-OS management interface to trusted internal IP addresses. Palo Alto Networks has linked its “best practice deployment guidelines” in their advisory.
- Use the Indicators of Compromise listed in the PAN threat advisory to hunt for malicious activity.
- Update your Palo Alto Networks Expedition software to version 1.2.96 or later and rotate all usernames, passwords and API keys in (or processed by) Expedition once the update is complete. Indicators of Compromise are also available for security analysts to use in threat hunting.
- Furthermore, recommendations call for IT teams to restrict Expedition access to authorized users, hosts, or networks and to deactivate the software when it is not being actively used.