CISA warned at the moment that two extra vital safety vulnerabilities in Palo Alto Networks’ Expedition migration software at the moment are actively exploited within the wild.
Attackers can use the 2 unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9465) vulnerabilities to hack into unpatched methods operating the corporate’s Expedition migration software, which helps migrate configurations from Checkpoint, Cisco, and different supported distributors.
Whereas CVE-2024-9463 permits attackers to run arbitrary OS instructions as root, exposing usernames, cleartext passwords, system configurations, and system API keys of PAN-OS firewalls, the second flaw could be exploited to entry Expedition database contents (together with password hashes, usernames, system configurations, and system API keys) and create or learn arbitrary information on weak methods.
Palo Alto Networks is transport safety updates addressing these points in Expedition 1.2.96 and later. The corporate advises admins who cannot instantly replace the software program to limit Expedition community entry to approved customers, hosts, or networks.
“A number of vulnerabilities in Palo Alto Networks Expedition permit an attacker to learn Expedition database contents and arbitrary information, in addition to write arbitrary information to short-term storage areas on the Expedition system,” Palo Alto Networks added in a safety advisory printed in early October that also must be up to date to warn clients that attackers are exploiting these vulnerabilities within the wild.
“Mixed, these embrace info comparable to usernames, cleartext passwords, system configurations, and system API keys of PAN-OS firewalls.”
“All Expedition usernames, passwords, and API keys must be rotated after upgrading to the fastened model of Expedition. All firewall usernames, passwords, and API keys processed by Expedition must be rotated after updating,” it added, saying that these safety flaws don’t have an effect on its firewall, Panorama, Prisma Entry, and Cloud NGFW merchandise.
Federal companies ordered to patch inside three weeks
On Thursday, CISA added the 2 vulnerabilities to its Recognized Exploited Vulnerabilities Catalog, ordering federal companies to patch Palo Alto Networks Expedition servers on their networks inside three weeks, by December 5, as required by the binding operational directive (BOD 22-01).
One week in the past, the cybersecurity company warned of one other Expedition safety flaw—a vital lacking authentication vulnerability (CVE-2024-5910) patched in July that may let menace actors reset utility admin credentials—actively abused in assaults.
Despite the fact that CISA has but to offer extra info on these ongoing assaults, proof-of-concept exploit code launched by Horizon3.ai vulnerability researcher Zach Hanley final month may help chain CVE-2024-5910 with one other command injection vulnerability (CVE-2024-9464) patched in October to achieve “unauthenticated” arbitrary command execution on weak and Web-exposed Expedition servers.
CVE-2024-9464 could be chained with different Expedition flaws (additionally addressed final month) to take over firewall admin accounts and hijack unpatched PAN-OS firewalls.