Exploited
CWE
78 79 89 532
Advisory Published
Updated

PAN-SA-2024-0010: Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL)

First published: Wed Oct 09 2024(Updated: )

Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW.

Affected SoftwareAffected VersionHow to fix
Palo Alto Networks Expedition<1.2.96=unspecified
Palo Alto Networks Cloud NGFW
Palo Alto Networks Panorama
Palo Alto Networks PAN-OS
Palo Alto Networks Prisma Access

Remedy

Ensure networks access to Expedition is restricted to authorized users, hosts, or networks. If Expedition is not in active use, ensure that Expedition software is shut down. For CVE-2024-9465, you can check for an indicator of compromise with the following command on an Expedition system (replace "root" with your username if you are using a different username): mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;" If you see any records returned, this indicates a potential compromise. Please note that if no records are returned, the system may still be compromised. This is only intended to indicate a potential compromise, rather than confirm a system has not been compromised. There are no practical indicators of compromise for the remainder of the CVEs in this advisory.

Remedy

The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions. The cleartext file affected by CVE-2024-9466 will be removed automatically during the upgrade. All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203