CISA warned at present that two extra important safety vulnerabilities in Palo Alto Networks’ Expedition migration software at the moment are actively exploited within the wild.
Attackers can use the 2 unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9465) vulnerabilities to hack into unpatched techniques operating the corporate’s Expedition migration software, which helps migrate configurations from Checkpoint, Cisco, and different supported distributors.
Whereas CVE-2024-9463 permits attackers to run arbitrary OS instructions as root, exposing usernames, cleartext passwords, system configurations, and system API keys of PAN-OS firewalls, the second flaw may be exploited to entry Expedition database contents (together with password hashes, usernames, system configurations, and system API keys) and create or learn arbitrary recordsdata on susceptible techniques.
Palo Alto Networks is delivery safety updates addressing these points in Expedition 1.2.96 and later. The corporate advises admins who cannot instantly replace the software program to limit Expedition community entry to licensed customers, hosts, or networks.
“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system,” Palo Alto Networks added in a safety advisory printed in early October that also must be up to date to warn clients that attackers are exploiting these vulnerabilities within the wild.
“Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.”
“All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating,” it added, saying that these safety flaws don’t have an effect on its firewall, Panorama, Prisma Entry, and Cloud NGFW merchandise.
Federal companies ordered to patch inside three weeks
On Thursday, CISA added the 2 vulnerabilities to its Identified Exploited Vulnerabilities Catalog, ordering federal companies to patch Palo Alto Networks Expedition servers on their networks inside three weeks, by December 5, as required by the binding operational directive (BOD 22-01).
One week in the past, the cybersecurity company warned of one other Expedition safety flaw—a important lacking authentication vulnerability (CVE-2024-5910) patched in July that may let risk actors reset software admin credentials—actively abused in assaults.
Though CISA has but to supply extra data on these ongoing assaults, proof-of-concept exploit code launched by Horizon3.ai vulnerability researcher Zach Hanley final month can assist chain CVE-2024-5910 with one other command injection vulnerability (CVE-2024-9464) patched in October to realize “unauthenticated” arbitrary command execution on susceptible and Web-exposed Expedition servers.
CVE-2024-9464 may be chained with different Expedition flaws (additionally addressed final month) to take over firewall admin accounts and hijack unpatched PAN-OS firewalls.
