InfoSecBulletin Cybersecurity for mankind
Palo Alto Networks released a security advisory (PAN-SA-2024-0010) about several high-severity vulnerabilities in its Expedition migration tool, with CVSS scores between 7.0 and 9.9. Exploiting these flaws could allow attackers to take over firewall admin accounts and access sensitive information like usernames, cleartext passwords, and API keys for PAN-OS firewalls.
The vulnerabilities found in Expedition are serious, particularly for organizations using Palo Alto Networks firewalls. They include OS command injection, SQL injection, and storing sensitive information in cleartext, allowing attackers to gain root access and steal confidential data.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
CVE-2024-9463 (CVSS 9.9): A vulnerability that allows an attacker to run commands on the operating system as an admin, exposing sensitive information like usernames and passwords.
CVE-2024-9464 (CVSS 9.3): A related OS command injection vulnerability that requires authentication and lets attackers run commands as root.
CVE-2024-9465 (CVSS 9.2): An SQL injection flaw that lets attackers access Expedition’s database, exposing passwords and usernames.
CVE-2024-9466 (CVSS 8.2): A vulnerability that allows storing firewall usernames and passwords in an unprotected format, creating a serious risk if not addressed.
CVE-2024-9467 (CVSS 7.0): A reflected XSS vulnerability that lets attackers run harmful JavaScript through phishing attacks.
Palo Alto Networks has released version 1.2.96 of Expedition to fix vulnerabilities. Users are advised to change all usernames, passwords, and API keys after updating. It’s also recommended to restrict network access to authorized users to reduce exposure risk.
The company acknowledged researchers from Horizon3.ai and Palo Alto Networks who reported these vulnerabilities. Despite the severity of these issues, Palo Alto Networks states that they are “not aware of any malicious exploitation of these issues.”
Organizations utilizing Palo Alto Networks Expedition must promptly upgrade to version 1.2.96 or a later release and thoroughly rotate all pertinent credentials. Neglecting this crucial step may expose critical systems to unauthorized access. Additionally, administrators aiming to identify potential compromises related to CVE-2024-9465 can refer to the advisory for the following indicator of compromise (IoC) command:
mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”
If this command returns records, it may indicate a compromise of the system. However, Palo Alto Networks advises that this does not guarantee that a system is free from compromise if no records are returned.
