InfoSecBulletin Cybersecurity for mankind
Palo Alto Networks released a security advisory (PAN-SA-2024-0010) about several high-severity vulnerabilities in its Expedition migration tool, with CVSS scores between 7.0 and 9.9. Exploiting these flaws could allow attackers to take over firewall admin accounts and access sensitive information like usernames, cleartext passwords, and API keys for PAN-OS firewalls.
The vulnerabilities found in Expedition are serious, particularly for organizations using Palo Alto Networks firewalls. They include OS command injection, SQL injection, and storing sensitive information in cleartext, allowing attackers to gain root access and steal confidential data.
Chrome 130 Launches with Patches for 17 Security Vulnerabilities
Researchers Break RSA Encryption with Quantum Computing
Shadowserver's data
87000+ Fortinet devices still open to attack?
Gmail Scam Alert
Billions of Gmail users at risk from sophisticated new AI hack
RansomHub Targets Bangladeshi Confidence Group
Hackers using ChatGPT create malware, OpenAI confirm
TrackMan exposes nearly 32 Million Records
CISA WARNS
CISA Warns of F5 BIG-IP Cookie Exploitation for Network Reconnaissance
CVE-2024-9164: GitLab Users Urged to Update Now
CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Patches
CVE-2024-9463 (CVSS 9.9): A vulnerability that allows an attacker to run commands on the operating system as an admin, exposing sensitive information like usernames and passwords.
CVE-2024-9464 (CVSS 9.3): A related OS command injection vulnerability that requires authentication and lets attackers run commands as root.
CVE-2024-9465 (CVSS 9.2): An SQL injection flaw that lets attackers access Expedition’s database, exposing passwords and usernames.
CVE-2024-9466 (CVSS 8.2): A vulnerability that allows storing firewall usernames and passwords in an unprotected format, creating a serious risk if not addressed.
CVE-2024-9467 (CVSS 7.0): A reflected XSS vulnerability that lets attackers run harmful JavaScript through phishing attacks.
Palo Alto Networks has released version 1.2.96 of Expedition to fix vulnerabilities. Users are advised to change all usernames, passwords, and API keys after updating. It’s also recommended to restrict network access to authorized users to reduce exposure risk.
The company acknowledged researchers from Horizon3.ai and Palo Alto Networks who reported these vulnerabilities. Despite the severity of these issues, Palo Alto Networks states that they are “not aware of any malicious exploitation of these issues.”
Organizations utilizing Palo Alto Networks Expedition must promptly upgrade to version 1.2.96 or a later release and thoroughly rotate all pertinent credentials. Neglecting this crucial step may expose critical systems to unauthorized access. Additionally, administrators aiming to identify potential compromises related to CVE-2024-9465 can refer to the advisory for the following indicator of compromise (IoC) command:
mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”
If this command returns records, it may indicate a compromise of the system. However, Palo Alto Networks advises that this does not guarantee that a system is free from compromise if no records are returned.
