Executive Summary

    On October 9th, 2024, cyber security firm Horizon3 published a blog post detailing multiple critical vulnerabilities they discovered in Palo Alto’s Expedition product. Expedition is a utility tool that allows Palo Alto clients to migrate firewall configurations from other vendor products to Palo Alto devices. 

    Two of the vulnerabilities (CVE-2024-9464 and CVE-2024-9465) can be reached remotely, one with and one without credentials, and successful exploitation yields an attacker remote code execution (RCE) and the ability to steal credentials on a target device. 

    Enough details were included in the article to build proof-of-concept (PoC) exploits, and we expect financially motivated threat actors to deploy weaponized exploits immediately. Affected organizations should apply vendor supplied fixes as soon as possible. 

    Affected Systems or Products

    Palo Alto Expedition, versions prior to 1.2.96. 

    Mitigations / Workarounds

    If an affected organization cannot apply the vendor supplied updates immediately, this vulnerability can be temporarily mitigated by restricting network access to an Expedition server to only authorized users, hosts, or networks. 

    Patches

    A fixed version (1.2.96) of the Expedition tool has been made available by Palo Alto here

    Indicators of Compromise

    Palo Alto provided a query here to check if an Expedition server has been compromised by CVE-2024-9465: 

    mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;" 

    According to Palo Alto, if the above query returns any records, that indicates potential compromise. 

    Technical Details

    Extensive details can be found on the Horizon3 writeup here. There were actually three vulnerabilities found by Horizon3, and one additional by a researcher at Palo Alto. This advisory is focused on CVE-2024-9464 and CVE-2024-9465 due to their high severities and detailed analysis. 

    CVE-2024-9466 is a command injection vulnerability against the following device endpoint: 

    https://<target_server>/bin/CronJobs.php 

    And is a result of the ‘start_time’ parameter not being sanitized before being sent to the PHP exec function. An attacker with a valid session ID for any existing user can send an arbitrary command in place of a valid start time and achieve remote code execution (RCE). 

    CVE-2024-9465 is an SQL injection vulnerability against the following device endpoint: 

    https://<target_server>/bin/configurations/parsers/Checkpoint/CHECKPOINT.php 

    And is a result of the web parameters not being sanitized before being passed to a statement that builds an SQL query. Researchers at Horizon3 produced a proof-of-concept (PoC) that creates a table, then uses it to leak data in follow-up attack requests. Exploits against CVE-2024-9465 do not require authentication. 

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.