{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-108.pdf"
    },
    "title": "Palo Alto Critical Vulnerabilities",
    "serial_number": "2024-108",
    "publish_date": "11-10-2024 08:22:58",
    "description": "Palo Alto Networks has disclosed multiple critical vulnerabilities in its Expedition tool that can lead to unauthorised access to firewall credentials and sensitive data, including usernames, passwords, and API keys. The vulnerabilities allow attackers to execute arbitrary commands, read or write files, and exploit SQL injection flaws. Successful exploitation could result in a full takeover of affected systems.<br>\n",
    "url_title": "2024-108",
    "content_markdown": "---    \ntitle: 'Palo Alto Critical Vulnerabilities'\nnumber: '2024-108'\nversion: '1.0'\noriginal_date: '2024-10-09'\ndate: '2024-10-11'\n---\n\n_History:_\n\n* _11/10/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nPalo Alto Networks has disclosed multiple critical vulnerabilities in its Expedition tool that can lead to unauthorised access to firewall credentials and sensitive data, including usernames, passwords, and API keys. The vulnerabilities allow attackers to execute arbitrary commands, read or write files, and exploit SQL injection flaws. Successful exploitation could result in a full takeover of affected systems.\n\n# Technical Details\n\nThe vulnerabilities include:\n\n- **CVE-2024-9463**: OS command injection allowing unauthenticated attackers to execute commands as root (CVSS 9.9).\n- **CVE-2024-9464**: Authenticated OS command injection (CVSS 9.3).\n- **CVE-2024-9465**: SQL injection leading to credential exposure and file access (CVSS 9.2).\n- **CVE-2024-9466**: Clear-text storage of sensitive information (CVSS 8.2).\n- **CVE-2024-9467**: Reflected XSS vulnerability enabling JavaScript execution (CVSS 7.0).\n\n# Affected Products\n\n- Expedition versions prior to 1.2.96.\n\n# Detection \n\nIn the `/var/apache/log/access.log` file, anomalous calls to the following endpoints might indicate abuse of these vulnerabilities: \n\n- `/OS/startup/restore/restoreAdmin.php` \n- `/bin/CronJobs.php`\n- `/bin/configurations/parsers/Checkpoint/CHECKPOINT.php` \n\n# Recommendations\n\nIt is recommended to upgrade to Expedition 1.2.96 or later to mitigate these vulnerabilities. The access and exposure to Expedition should also be limited.  \n\n# References\n\n[1] <https://security.paloaltonetworks.com/PAN-SA-2024-0010>\n\n[2] <https://www.securityweek.com/palo-alto-patches-critical-firewall-takeover-vulnerabilities>\n\n[3] <https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>11/10/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Palo Alto Networks has disclosed multiple critical vulnerabilities in its Expedition tool that can lead to unauthorised access to firewall credentials and sensitive data, including usernames, passwords, and API keys. The vulnerabilities allow attackers to execute arbitrary commands, read or write files, and exploit SQL injection flaws. Successful exploitation could result in a full takeover of affected systems.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerabilities include:</p><ul><li><strong>CVE-2024-9463</strong>: OS command injection allowing unauthenticated attackers to execute commands as root (CVSS 9.9).</li><li><strong>CVE-2024-9464</strong>: Authenticated OS command injection (CVSS 9.3).</li><li><strong>CVE-2024-9465</strong>: SQL injection leading to credential exposure and file access (CVSS 9.2).</li><li><strong>CVE-2024-9466</strong>: Clear-text storage of sensitive information (CVSS 8.2).</li><li><strong>CVE-2024-9467</strong>: Reflected XSS vulnerability enabling JavaScript execution (CVSS 7.0).</li></ul><h2 id=\"affected-products\">Affected Products</h2><ul><li>Expedition versions prior to 1.2.96.</li></ul><h2 id=\"detection\">Detection</h2><p>In the <code>/var/apache/log/access.log</code> file, anomalous calls to the following endpoints might indicate abuse of these vulnerabilities: </p><ul><li><code>/OS/startup/restore/restoreAdmin.php</code> </li><li><code>/bin/CronJobs.php</code></li><li><code>/bin/configurations/parsers/Checkpoint/CHECKPOINT.php</code> </li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to upgrade to Expedition 1.2.96 or later to mitigate these vulnerabilities. The access and exposure to Expedition should also be limited. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://security.paloaltonetworks.com/PAN-SA-2024-0010\">https://security.paloaltonetworks.com/PAN-SA-2024-0010</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.securityweek.com/palo-alto-patches-critical-firewall-takeover-vulnerabilities\">https://www.securityweek.com/palo-alto-patches-critical-firewall-takeover-vulnerabilities</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/\">https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}