Critical vulnerabilities in Palo Alto Expedition: everything you need to know

Detect and mitigate critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467) in Palo Alto Networks’ Expedition tool. Organizations should patch urgently.

2 minutes read

Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly. 

What are these vulnerabilities? 

Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpoint, Cisco, or others to PAN-OS. 

The identified vulnerabilities in Expedition include several OS command injection flaws (CVE-2024-9463 and CVE-2024-9464), enabling attackers—both authenticated and unauthenticated—to run arbitrary OS commands as root. This exposure allows access to sensitive data such as firewall credentials and API keys. Additionally, the SQL injection vulnerability (CVE-2024-9465) permits unauthenticated attackers to access Expedition’s database and retrieve critical information like password hashes and configuration details, with the potential to write arbitrary files to the system. Furthermore, CVE-2024-9466 reveals sensitive information in cleartext logs, and CVE-2024-9467 allows reflected XSS, which attackers can exploit to steal user sessions or perform phishing attacks. All vulnerabilities combined represent a substantial threat that requires urgent patching and securing of Expedition instances. 

CVETypeCVSS
CVE-2024-9463OS command injection9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)
CVE-2024-9464OS command injection9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N)
CVE-2024-9465SQL injection9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N)
CVE-2024-9466Cleartext storage of sensitive information8.2 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N)
CVE-2024-9467Reflected XSS7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N)

Wiz Research data: what’s the risk to cloud environments?       

According to Wiz data this product is not prevalent in cloud environments, in fact it appears to be exposed to the internet in less than 1% of cloud environments. In addition, 3rd party internet scanning service FOFA found only 106 exposed servers worldwide. 

Which products are affected? 

All versions of Expedition below 1.2.96 are affected. 

Which actions should security teams take? 

It is recommended to upgrade to Expedition version 1.2.96 or later. This version addresses all identified vulnerabilities. 

The following mitigation steps can be taken to minimize risk of exploitation: 

  1. Access Restrictions: Limit network access to Expedition systems to authorized personnel and networks only. 

  2. Rotate Credentials: Immediately after upgrading, rotate all Expedition-related usernames, passwords, and API keys, including those for firewalls and devices integrated through Expedition. 

  3. Monitor Logs and Check IoCs: Inspect access logs for HTTP requests targeting known vulnerable endpoints like /OS/startup/restore/restoreAdmin.php and /bin/CronJobs.php for signs of unauthorized activity. Additionally, run checks on the Expedition database for suspicious entries indicating potential compromises. 

  4. Shutdown Unused Instances: Disable Expedition software if it is not actively in use to minimize exposure. 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

References 

 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management