Advertisement

More bugs in Palo Alto Expedition see active exploitation, CISA warns

Hackers have been actively targeting the firewall management software through multiple vulnerabilities.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Palo Alto Networks headquarters in Silicon Valley; Palo Alto Networks, Inc. is an American multinational cyber security company. (Getty Images)

The Cybersecurity and Infrastructure Security Agency warned Thursday that a vulnerability in Palo Alto Networks’ firewall management software is actively being exploited in the wild, following last week’s attacks that exploited other flaws in the same software.

The two bugs in Palo Alto’s Expedition tool, tracked as CVE-2024-9463 and CVE-2024-9465, could expose firewall credentials and affect versions 1.2.96 and below, according to the vendor alert. The software is billed as a migration tool from multiple vendors to Palo Alto software. CISA did not provide further details on possible attackers or victims.

Palo Alto Networks’ alert notes that the company has seen exploits “against a limited number of firewall management interfaces which are exposed to the internet. We are actively investigating this activity.”

However, CISA’s alert comes a week after warning of an active exploit of another Expedition bug that affected version 1.2.92 and older versions, tracked as CVE-2024-5910.

Advertisement

CISA added CVE-2024-5910 to the KEV catalog Nov. 7 but the software vendor initially published the bug report in July. The vulnerability stems from missing authentication in the firewall deployment and management software and allows for administration account takeover with network access. The vulnerability has a CVSS score of 9.3 and is also tracked as PAN-SA-2024-0015 by Palo Alto Networks.

Palo Alto released an advisory about the CVE-2024-5910 bug in October and subsequently updated the alert Thursday.  Exploitation of CVE-2024-5910 puts at risk “configuration secrets, credentials, and other data imported” into the product, Palo Alto said in the alert.  

CISA’s addition of the vulnerability to the KEV means that federal agencies are required to ensure mitigate the risk within a set time.

The cybersecurity firm Horizon3.ai dove into the bug and found three additional vulnerabilities in the software: CVE-2024-9464, CVE-2024-9465 and CVE-2024-9466.

Palo Alto advised users to shut off Expedition if it is not in use and upgrade to the latest version. Network access to Expedition has been restricted.

Advertisement

Concerning CVE-2024-9465, administrators should “check for an indicator of compromise with the following command on an Expedition system (replace “root” with your username if you are using a different username):

mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”

Palo Alto noted that any records returned would indicate a compromise, but also warned that systems could still be infected if nothing is returned.

Latest Podcasts