The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities related to Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) Catalog, citing active exploitation in the wild. These vulnerabilities pose significant risks to enterprise environments due to their high severity and potential for exploitation.
Vulnerabilities Overview
1. CVE-2024-9463: OS Command Injection
- Severity: Critical (CVSS 4.0 Score: 9.9)
- Description: An unauthenticated attacker can exploit an OS command injection vulnerability in Expedition to execute arbitrary commands as root. Exploitation could lead to:
- Disclosure of sensitive data (e.g., usernames, plaintext passwords, configurations, API keys).
- Compromise of PAN-OS firewall credentials and configurations.
- Affected Versions: Expedition versions from 1.2.0 before 1.2.96.
- Mitigation: Upgrade to Expedition version 1.2.96 or later.
- References:
2. CVE-2024-9465: SQL Injection
- Severity: Critical (CVSS 4.0 Score: 9.2)
- Description: This vulnerability allows an attacker to exploit SQL injection to retrieve sensitive Expedition database contents, including password hashes, usernames, and API keys. The vulnerability can also enable arbitrary file creation and read access on the Expedition system.
- Affected Versions: Expedition versions from 1.2.0 before 1.2.96.
- Mitigation: Upgrade to Expedition version 1.2.96 or later.
- References:
Analysis
Threat Actor Behavior
These vulnerabilities are prime targets for malicious actors due to their high impact and ease of exploitation (unauthenticated, network-accessible). Exploitation could enable attackers to gain administrative access to PAN-OS firewalls, extract sensitive configurations, and pivot to other parts of the network.
Risk to Federal Enterprises
CISA’s Binding Operational Directive (BOD) 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by a specified deadline. However, non-compliance or delayed remediation increases the risk of system compromise and lateral movement within enterprise networks.
Implications for Non-Federal Entities
While BOD 22-01 applies to FCEB agencies, private organizations should also prioritize addressing these vulnerabilities to avoid compromise of critical infrastructure and services.
Mitigation Recommendations
- Patch and Update:
- Upgrade Expedition to version 1.2.96 or later.
- Follow Palo Alto Networks’ hardening guidance to secure management interfaces.
- Restrict Access to Management Interfaces:
- Limit access to trusted IPs.
- Disable internet-facing management interfaces whenever feasible.
- Implement Network Segmentation:
- Isolate management networks from production environments to minimize the impact of potential exploits.
- Conduct Security Assessments:
- Use vulnerability scanning tools to identify exposed management interfaces.
- Regularly audit configurations and monitor for signs of exploitation.
- Monitor for Indicators of Compromise (IoCs):
- Review logs for unauthorized access attempts to Expedition systems.
- Correlate activity with known exploitation patterns.
Conclusion
The discovery of CVE-2024-9463 and CVE-2024-9465 highlights the critical need for proactive vulnerability management and secure configuration of network devices. Organizations are urged to act immediately to remediate affected systems, secure network access points, and review security posture to minimize risks posed by these vulnerabilities.
