InfoSecBulletin Cybersecurity for mankind
Palo Alto Networks released a security advisory (PAN-SA-2024-0010) about several high-severity vulnerabilities in its Expedition migration tool, with CVSS scores between 7.0 and 9.9. Exploiting these flaws could allow attackers to take over firewall admin accounts and access sensitive information like usernames, cleartext passwords, and API keys for PAN-OS firewalls.
The vulnerabilities found in Expedition are serious, particularly for organizations using Palo Alto Networks firewalls. They include OS command injection, SQL injection, and storing sensitive information in cleartext, allowing attackers to gain root access and steal confidential data.
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
ChatGPT Develops Exploit for CVEs Before Public PoCs Share
TP-Link Router Vulns Allow to Execute Malicious SQL Commands
SSL.com’s domain validation system’s bug found: Hacker exploited
Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals
Hackers Exploit Zoom’s Remote Control Feature for System Access
CVE-2024-9463 (CVSS 9.9): A vulnerability that allows an attacker to run commands on the operating system as an admin, exposing sensitive information like usernames and passwords.
CVE-2024-9464 (CVSS 9.3): A related OS command injection vulnerability that requires authentication and lets attackers run commands as root.
CVE-2024-9465 (CVSS 9.2): An SQL injection flaw that lets attackers access Expedition’s database, exposing passwords and usernames.
CVE-2024-9466 (CVSS 8.2): A vulnerability that allows storing firewall usernames and passwords in an unprotected format, creating a serious risk if not addressed.
CVE-2024-9467 (CVSS 7.0): A reflected XSS vulnerability that lets attackers run harmful JavaScript through phishing attacks.
Palo Alto Networks has released version 1.2.96 of Expedition to fix vulnerabilities. Users are advised to change all usernames, passwords, and API keys after updating. It’s also recommended to restrict network access to authorized users to reduce exposure risk.
The company acknowledged researchers from Horizon3.ai and Palo Alto Networks who reported these vulnerabilities. Despite the severity of these issues, Palo Alto Networks states that they are “not aware of any malicious exploitation of these issues.”
Organizations utilizing Palo Alto Networks Expedition must promptly upgrade to version 1.2.96 or a later release and thoroughly rotate all pertinent credentials. Neglecting this crucial step may expose critical systems to unauthorized access. Additionally, administrators aiming to identify potential compromises related to CVE-2024-9465 can refer to the advisory for the following indicator of compromise (IoC) command:
mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”
If this command returns records, it may indicate a compromise of the system. However, Palo Alto Networks advises that this does not guarantee that a system is free from compromise if no records are returned.
