Palo Alto Expedition Exposed: Critical Vulnerabilities Threaten Network Security
On July 10, 2024, Palo Alto issued an advisory regarding vulnerability CVE-2024-5910, which allowed attackers to remotely reset administrator credentials in the Expedition application. Though not widely known, Expedition is designed to facilitate and expedite the migration of network device configurations from other vendors, such as Checkpoint or Cisco, to Palo Alto Networks. Exploiting this vulnerability could grant attackers full control over the Expedition admin account if they had network access.
Upon reviewing the documentation, it became evident that this application may be of significant interest to attackers due to its integration with network devices via a web service, and because credentials are stored on a server running Ubuntu.
During testing, researchers discovered that a request to a specific web service endpoint allowed the reset of the admin password. However, gaining administrative access was merely the first step and did not provide access to all stored credentials. To achieve that, remote code execution on the server was required.
An analysis of the web service’s code revealed several vulnerable files, particularly CronJobs.php, which permitted commands to be executed via query parameters, making it susceptible to command injection. With a valid session, an attacker could inject malicious commands into the database and force the server to execute them.
Ultimately, CVE-2024-9464 enabled attackers to execute commands on the server, allowing them to retrieve credentials through SQL queries. One such command returned all API keys and passwords in plaintext.
Furthermore, other vulnerabilities were identified, including CVE-2024-9465 — an unauthenticated SQL injection, and CVE-2024-9466 — credentials being logged in plaintext. These vulnerabilities allowed attackers to access sensitive information without even possessing an account.
At the time of reporting, 23 publicly accessible Expedition servers were identified online, making it critical to patch these vulnerabilities to secure the servers and the data stored within.
