Palo Alto Networks logo
,

Patch now! Palo Alto Expedition vulnerabilities could leak firewall credentials

A set of vulnerabilities in Palo Alto Networks Expedition could allow an attacker to read database contents and arbitrary files

Palo Alto Networks has published a security advisory that describes a set of vulnerabilities in Palo Alto Networks Expedition which could allow an attacker to read its database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Expedition is the fifth evolution of the Palo Alto Networks Migration Tool. The original main purpose of this tool was to help reduce the time and effort to migrate a configuration from one of the supported vendors to Palo Alto Networks.

The vulnerabilities only affect Expedition versions before 1.2.96 and not the firewalls, Panorama, Prisma Access, or Cloud NGFW.

Palo Alto Networks says it is not aware of any malicious exploitation of these issues, but steps to reproduce this issue are publicly available.

Three out of five vulnerabilities fixed in the latest update were found by a researcher that reverse engineered an earlier security advisory for CVE-2024-5910, a vulnerability which allowed attackers to remotely reset the Expedition application admin credentials.

The main culprit in that discovery is listed as CVE-2024-9464 (CVSS score 9.3 out of 10), an OS command injection vulnerability that allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Based on that, Palo Alto must have uncovered CVE-2024-9463, which has an even higher CVSS score of 9.9 with the exact same description.

The researcher also found a file called /home/userSpace/devices/debug.txt which was visible for unauthorized attackers. The debug file contained the raw request logs of the Expedition server when it exchanged cleartext credentials for API keys in the device integration process. The Expedition server only stores the API keys, and is not supposed to retain the cleartext credentials, but this log file however showed all the credentials used in cleartext. This issue was assigned CVE-2024-9466.

Credentials visible in cleartext
Image courtesy of Horizon3.ai

Digging deeper, the researcher found a publicly accessible PHP file that constructs SQL queries. With that, they were able to construct a request which successfully dumps the entire “users” table.

This vulnerability was listed as CVE-2024-9465 (CVSS score 9.2), an SQL injection vulnerability in Palo Alto Networks Expedition that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Vulnerabilities like these can leak administrator credentials that are used for more than the firewall alone, opening doors for ransomware groups that would be more than happy to use them.

A workaround and mitigation advice provided by Palo Alto that is recommended even if you are fully patched:

  • Ensure networks access to Expedition is restricted to authorized users, hosts, or networks.
  • If Expedition is not in active use, ensure that Expedition software is shut down.

As the researcher noted:

A significant amount of files are served via the web root, many seemingly unnecessarily, and are exposed via the web services.

So, taking it away from an Internet-accessible server is a good idea that would prevent abuse of vulnerabilities that haven’t been found or published yet. And given the nature of the tool, there aren’t many reasons for it to be accessible from the Internet.