CISOs who delayed patching Palo Alto vulnerabilities now face real threat

Two of six critical vulnerabilities in Palo Alto Networks’ Expedition Migration tool, which the company patched in October, are being actively exploited according to the US Cybersecurity and Infrastructure Security Agency.

CISA has now added the two vulnerabilities — CVE-2024-9463 and CVE-2024-9465 — to its known exploited vulnerabilities (KEV) catalog, putting CISOs who ignored last month’s warnings to patch the Palo Alto flaws on notice that their systems are now under threat.

A day after the CISA alert, the cybersecurity giant, which previously maintained a “no-zero-day” exploitation status on the bugs, updated its advisory to reflect the increased threat.

“Palo Alto Networks is aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465,” Palo Alto Networks said in the update.

The vulnerabilities could allow theft of usernames, cleartext passwords, and more on buggy instances of Expedition, a tool that enables admins to migrate their firewall configurations from other vendors’ products to a Palo Alto Networks product.

Bugs enable admin credentials disclosure

CVE-2024-9463 and CVE-2024-9465 are command injection vulnerabilities enabling unauthenticated attackers to execute arbitrary OS-level commands as root and SQL commands on database in Expedition, respectively.

Attackers can use the flaws to read usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. The flaws can also enable the creation and reading of arbitrary files on Expedition systems as the attackers gain access to the Expedition database.

Both CVE-2024-9463 and CVE-2024-9465 have been assigned critical ratings with CVSS base scores of 9.9/10 and 9.2/10, respectively. Both the flaws are patched in Expedition 1.2.96 and later versions.

While CISA did not add technical details of the exploitation, it ordered federal agencies to patch buggy Expedition servers by the end of November 2024, as per the binding operational directive (BOD 22-01) for critical vulnerabilities.

“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet,” Palo Alto Networks said in another advisory update, adding “We do not have sufficient information about any indicators of compromise to share at this time.”

If a compromise is feared, customers are advised to monitor for suspicious activity such as unrecognised configuration changes or users.

As additional workarounds, all Expedition and firewall usernames, passwords, and API keys must be rotated, Expedition software should be shut down in inactivity, and network access to Expedition must be restricted to authorised users, hosts, or networks, the company added.