The US Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities Catalogue with two newly identified vulnerabilities in Palo Alto Networks’ Expedition migration tool. These vulnerabilities, tracked as CVE-2024-9463 and CVE-2024-9465, are reportedly being actively exploited. CISA has directed federal agencies to address these issues by 5 December 2024, under its Binding Operational Directive (BOD) 22-01.
Command injection and SQL injection flaws identified
The first vulnerability, CVE-2024-9463, is an unauthenticated command injection issue that allows attackers to execute operating system commands with root privileges. Exploiting this flaw can expose sensitive information such as usernames, plaintext passwords, device configurations, and API keys associated with PAN-OS firewalls.
The second vulnerability, CVE-2024-9465, is a SQL injection flaw that grants unauthorised access to Expedition’s database, exposing password hashes, usernames, and configuration data. Additionally, this vulnerability allows attackers to create or read files on vulnerable systems.
“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system,” stated Palo Alto Networks. “Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.”
The cybersecurity company clarified that the vulnerabilities do not impact firewalls, Panorama, Prisma Access, or Cloud NGFW.
Expedition is a migration tool designed to facilitate the conversion of firewall configurations from other vendors to Palo Alto Networks’ systems. The exploitation of these vulnerabilities puts sensitive configuration data and administrative credentials at risk.
Palo Alto Networks has addressed the vulnerabilities in Expedition version 1.2.96 and later, advising users to update their systems immediately. For those unable to apply the update promptly, the company recommends restricting network access to authorised users and hosts as a temporary measure.
These new additions follow a similar alert from CISA issued last week regarding another vulnerability in the Expedition tool, identified as CVE-2024-5910. This earlier flaw allowed attackers to reset administrative credentials and was actively exploited before being patched in July 2024.
CISA has also added three other vulnerabilities to its catalogue based on evidence of active exploitation. These include an Android Framework privilege escalation vulnerability (CVE-2024-43093), a CyberPanel incorrect default permissions vulnerability (CVE-2024-51567), and a Nostromo nhttpd directory traversal vulnerability (CVE-2019-16278).
While the directive applies specifically to Federal Civilian Executive Branch (FCEB) agencies, CISA has urged all organisations to prioritise the remediation of vulnerabilities listed in its catalogue. The Known Exploited Vulnerabilities Catalogue is regularly updated to reflect threats identified through active exploitation, with the goal of mitigating risks across both public and private sectors.