Headline
Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool
Palo Alto Networks has released security updates to address five security flaws impacting its products, including a critical bug that could lead to an authentication bypass. Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover. "Missing authentication
Vulnerability / Enterprise Security
Palo Alto Networks has released security updates to address five security flaws impacting its products, including a critical bug that could lead to an authentication bypass.
Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover.
“Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition,” the company said in an advisory. “Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.”
The flaw impacts all versions of Expedition prior to version 1.2.92, which remediates the problem. Synopsys Cybersecurity Research Center’s (CyRC) Brian Hysell has been credited with discovering and reporting the issue.
While there is no evidence that the vulnerability has been exploited in the wild, users are advised to update to the latest version to secure against potential threats.
As workarounds, Palo Alto Networks is recommending that network access to Expedition is restricted to authorized users, hosts, or networks.
Also fixed by the American cybersecurity firm is a newly disclosed flaw in the RADIUS protocol called BlastRADIUS (CVE-2024-3596) that could allow a bad actor with capabilities to perform an adversary-in-the-middle (AitM) attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to sidestep authentication.
The vulnerability then permits the attacker to “escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile,” it said.
The following products are affected by the shortcomings:
- PAN-OS 11.1 (versions < 11.1.3, fixed in >= 11.1.3)
- PAN-OS 11.0 (versions < 11.0.4-h4, fixed in >= 11.0.4-h4)
- PAN-OS 10.2 (versions < 10.2.10, fixed in >= 10.2.10)
- PAN-OS 10.1 (versions < 10.1.14, fixed in >= 10.1.14)
- PAN-OS 9.1 (versions < 9.1.19, fixed in >= 9.1.19)
- Prisma Access (all versions, fix expected to be released on July 30)
It also noted that neither CHAP nor PAP should be used unless they are encapsulated by an encrypted tunnel since the authentication protocols do not offer Transport Layer Security (TLS). They are not vulnerable in cases where they are used in conjunction with a TLS tunnel.
However, it’s worth noting that PAN-OS firewalls configured to use EAP-TTLS with PAP as the authentication protocol for a RADIUS server are also not susceptible to the attack.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The security vendor's Expedition firewall appliance's PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet.
This Metasploit module lets you obtain remote code execution in Palo Alto Expedition versions 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will get executed in the context of www-data. When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will first try to reset the admin password and then perform the OS command injection.
This Metasploit module lets you obtain remote code execution in Palo Alto Expedition versions 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will get executed in the context of www-data. When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will first try to reset the admin password and then perform the OS command injection.
A critical security vulnerability in Palo Alto Networks’ Expedition tool is being actively exploited by hackers. CISA urges…
Palo Alto Networks on Friday issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability. "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said. "At this time, we do not know the specifics of the
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that
Red Hat Security Advisory 2024-8577-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-8461-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Ubuntu Security Notice 7055-1 - Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl discovered that FreeRADIUS incorrectly authenticated certain responses. An attacker able to intercept communications between a RADIUS client and server could possibly use this issue to forge responses, bypass authentication, and access network devices and services. This update introduces new configuration options called "limit_proxy_state" and "require_message_authenticator" that default to "auto" but should be set to "yes" once all RADIUS devices have been upgraded on a network.
Red Hat Security Advisory 2024-4936-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-4935-03 - An update for freeradius is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-4913-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.
Red Hat Security Advisory 2024-4912-03 - An update for freeradius is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-4911-03 - An update for freeradius is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.
Red Hat Security Advisory 2024-4829-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-4828-03 - An update for freeradius is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-4826-03 - An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild. Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser