Headline
Palo Alto Networks Patches Critical Zero-Day Firewall Bug
The security vendor’s Expedition firewall appliance’s PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet.
Source: tofino via Alamy Stock Photo
Palo Alto Networks (PAN) put out an advisory Friday warning its customers that a critical, unauthenticated remote code execution (RCE) bug is under exploit by cybercriminals in its Expedition firewall interface — making this the tool’s fourth vulnerability under active attack identified in just the past week.
PAN’s Expedition firewall management is a utility the vendor uses to transition its new customers from their previous system to PAN-OS. For the latest bug, it issued a critical security bulletin warning about fresh threat activity targeting an unauthenticated remote command injection vulnerability (CVE-2024-0012, CVSS 9.3) in Expedition. The company didn’t specify exactly when it became aware of the zero-day, but it issued patches today for the bug, which arises from a missing authentication check.
“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet,” Palo Alto Network’s security bulletin said.
The day prior to the PAN bulletin, on Thursday, Nov. 14, CISA added two separate, critical Expedition flaws disclosed Nov. 8 to its Known Exploited Vulnerabilities Catalog: an OS command injection vulnerability (CVE-2024-9463) with a CVSS score of 9.9; and an SQL injection vulnerability (CVE-2024-9465) with a CVSS score of 9.2. And just a week before, another PAN Expedition vulnerability, a missing authentication bug disclosed July 10, made the KEV list (CVE-2024-5910).
Related:Dark Reading Confidential: Meet the Ransomware Negotiators
How to Secure an Exposed Expedition Firewall Management System
Customers should patch their systems as soon as possible; and the vendor urges Expedition users to ensure their systems are not reachable from the public Internet.
And although most of these impacted firewalls already follow that best practice, PAN recommends that customers, “immediately ensure that access to the management interface is possible only from a trusted internal IPs and not from the Internet.”
According to the ShadowServer Foundation’s IoT device tracking statistics, on Nov. 14 there were more than 8,700 instances of PAN-OS Management systems connected to the Internet and vulnerable to these exploits. That number is down from around 11,000 observed prior to PAN’s Nov. 8 bulletin.
“The security of our customers is our highest priority, and we have been in daily contact with customers who we have identified as at heightened risk,” a statement from PAN provided to Dark Reading said. “We recently became aware of malicious activity targeting a small number of firewalls that we believe had a management interface exposed to the Internet. This vulnerability could potentially result in unauthorized access to these specific firewalls. We are actively monitoring the situation and are committed to providing our customers with the support they need to stay secure.”
Related:Akira Ransomware Racks Up 30+ Victims in a Single Day
The company added that Prisma Access and Cloud NGFW are not believed to be impacted.
Experts urge cybersecurity teams not to underestimate the risk of leaving these vulnerabilities exposed.
“OS commanding and SQL injection are among the most critical vulnerabilities in software," says Ray Kelly, a cybersecurity expert with Black Duck. "When both vectors exist in a single product, it essentially exposes the application completely. These vulnerabilities have been known for decades and can be easily detected using most modern Web application scanning tools.”
Last summer, PAN announced Expedition is being phased out and will no longer be supported as of January 2025.
Related news
This Metasploit module lets you obtain remote code execution in Palo Alto Expedition versions 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will get executed in the context of www-data. When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will first try to reset the admin password and then perform the OS command injection.
This Metasploit module lets you obtain remote code execution in Palo Alto Expedition versions 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will get executed in the context of www-data. When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will first try to reset the admin password and then perform the OS command injection.
A critical security vulnerability in Palo Alto Networks’ Expedition tool is being actively exploited by hackers. CISA urges…
Palo Alto Networks on Friday issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability. "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said. "At this time, we do not know the specifics of the
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-23113 (CVSS score: 9.8), relates to cases of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb. "A
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-23113 (CVSS score: 9.8), relates to cases of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb. "A
Palo Alto Networks has released security updates to address five security flaws impacting its products, including a critical bug that could lead to an authentication bypass. Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover. "Missing authentication