Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Vulnerability / Enterprise Security

Palo Alto Networks has released security updates to address five security flaws impacting its products, including a critical bug that could lead to an authentication bypass.

Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover.

“Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition,” the company said in an advisory. “Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.”

The flaw impacts all versions of Expedition prior to version 1.2.92, which remediates the problem. Synopsys Cybersecurity Research Center’s (CyRC) Brian Hysell has been credited with discovering and reporting the issue.

While there is no evidence that the vulnerability has been exploited in the wild, users are advised to update to the latest version to secure against potential threats.

As workarounds, Palo Alto Networks is recommending that network access to Expedition is restricted to authorized users, hosts, or networks.

Also fixed by the American cybersecurity firm is a newly disclosed flaw in the RADIUS protocol called BlastRADIUS (CVE-2024-3596) that could allow a bad actor with capabilities to perform an adversary-in-the-middle (AitM) attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to sidestep authentication.

The vulnerability then permits the attacker to “escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile,” it said.

The following products are affected by the shortcomings:

• PAN-OS 11.1 (versions < 11.1.3, fixed in >= 11.1.3)
• PAN-OS 11.0 (versions < 11.0.4-h4, fixed in >= 11.0.4-h4)
• PAN-OS 10.2 (versions < 10.2.10, fixed in >= 10.2.10)
• PAN-OS 10.1 (versions < 10.1.14, fixed in >= 10.1.14)
• PAN-OS 9.1 (versions < 9.1.19, fixed in >= 9.1.19)
• Prisma Access (all versions, fix expected to be released on July 30)

It also noted that neither CHAP nor PAP should be used unless they are encapsulated by an encrypted tunnel since the authentication protocols do not offer Transport Layer Security (TLS). They are not vulnerable in cases where they are used in conjunction with a TLS tunnel.

However, it’s worth noting that PAN-OS firewalls configured to use EAP-TTLS with PAP as the authentication protocol for a RADIUS server are also not susceptible to the attack.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.