On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a vulnerability which allowed attackers to remotely reset the Expedition application admin credentials. While we had never heard of Expedition application before, it’s advertised as: The purpose of this tool is to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By using Expedition, everyone can convert a configuration from Checkpoint, Cisco, or any other vendor to a PAN-OS and give you more time to improve the results. Further reading the documentation, it became clear that this application might have more attacker value than initially expected. The Expedition application is deployed on Ubuntu server, interacted with via a web service, and users remotely integrate vendor devices by adding each system’s credentials. Figure 1. Integrating a device with credentials This blog details finding CVE-2024-5910, but also how we ended up discovering 3 additional vulnerabilities which we reported to Palo Alto: CVE-2024-9464: Authenticated Command Injection CVE-2024-9465: Unauthenticated SQL Injection CVE-2024-9466: Cleartext Credentials in Logs CVE-2024-5910: No Reversing Needed Given the description of the vulnerability, it sounded like there existed some built in function that allowed reseting the admin credential. Missing authentication…

First seen on securityboulevard.com

Jump to article: securityboulevard.com/2024/10/palo-alto-expedition-from-n-day-to-full-compromise/