Horizon3.ai Chief Attack Engineer Zach Hanley has just published “Palo Alto Expedition: From N-Day to Full Compromise.”
Zach notes: “On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a vulnerability which allowed attackers to remotely reset the Expedition application admin credentials. While we had never heard of Expedition application before, it’s advertised as:
The purpose of this tool is to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By using Expedition, everyone can convert a configuration from Checkpoint, Cisco, or any other vendor to a PAN-OS and give you more time to improve the results.
“Further reading the documentation, it became clear that this application might have more attacker value than initially expected. The Expedition application is deployed on Ubuntu server, interacted with via a web service, and users remotely integrate vendor devices by adding each system’s credentials.”
Today’s blog details finding CVE-2024-5910, and also how Zach and his team discovered three additional vulnerabilities which they reported to Palo Alto:
- CVE-2024-9464: Authenticated Command Injection
- CVE-2024-9465: Unauthenticated SQL Injection
- CVE-2024-9466: Cleartext Credentials in Logs
The blog post also includes indicators of compromise (IoCs) for the vulnerabilities.
Horizon3.ai adheres strictly to responsible disclosure of its research, and the disclosure timeline is noted in today’s blog, which you can read here.
Like this:
Like Loading...
Related
This entry was posted on October 9, 2024 at 1:31 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Palo Alto Expedition: From N-Day to ATO, Full Compromise Says Horizon3.ai
Horizon3.ai Chief Attack Engineer Zach Hanley has just published “Palo Alto Expedition: From N-Day to Full Compromise.”
Zach notes: “On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a vulnerability which allowed attackers to remotely reset the Expedition application admin credentials. While we had never heard of Expedition application before, it’s advertised as:
The purpose of this tool is to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By using Expedition, everyone can convert a configuration from Checkpoint, Cisco, or any other vendor to a PAN-OS and give you more time to improve the results.
“Further reading the documentation, it became clear that this application might have more attacker value than initially expected. The Expedition application is deployed on Ubuntu server, interacted with via a web service, and users remotely integrate vendor devices by adding each system’s credentials.”
Today’s blog details finding CVE-2024-5910, and also how Zach and his team discovered three additional vulnerabilities which they reported to Palo Alto:
The blog post also includes indicators of compromise (IoCs) for the vulnerabilities.
Horizon3.ai adheres strictly to responsible disclosure of its research, and the disclosure timeline is noted in today’s blog, which you can read here.
Share this:
Like this:
Related
This entry was posted on October 9, 2024 at 1:31 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.