Palo Alto Networks warns of firewall hijack bugs with public exploit

Palo Alto Networks warned customers today to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls.

The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors.

They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.

"Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system," the company said in an advisory published on Wednesday.

"Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls."

These bugs are a combination of command injection, reflected cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities:

• CVE-2024-9463 (unauthenticated command injection vulnerability)
• CVE-2024-9464 (authenticated command injection vulnerability)
• CVE-2024-9465 (unauthenticated SQL injection vulnerability)
• CVE-2024-9466 (cleartext credentials stored in logs)
• CVE-2024-9467 (unauthenticated reflected XSS vulnerability)

Proof-of-concept exploit available

Horizon3.ai vulnerability researcher Zach Hanley, who found and reported four of the bugs, has also published a root cause analysis write-up that details how he found three of these flaws while researching the CVE-2024-5910 vulnerability (disclosed and patched in July), which allows attackers to reset Expedition application admin credentials.

Hanley also released a proof-of-concept exploit that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 command injection vulnerability to gain "unauthenticated" arbitrary command execution on vulnerable Expedition servers.

Palo Alto Networks says that, for the moment, there is no evidence that the security flaws have been exploited in attacks.

"The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions. The cleartext file affected by CVE-2024-9466 will be removed automatically during the upgrade," Palo Alto Networks added today.

"All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating."

Admins who can't immediately deploy today's security updates must restrict Expedition network access to authorized users, hosts, or networks.

In April, the company started releasing hotfixes for a maximum-severity zero-day bug that had been actively exploited since March by a state-backed threat actor tracked as UTA0218 to backdoor PAN-OS firewalls.