Exploit
CVE-2024-9463

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Oct 9, 2024 / Updated: 41d ago

010
CVSS 9.9EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Impact

This vulnerability has a critical severity with a CVSS v4 base score of 9.9. The impact is severe as it allows unauthenticated attackers to execute arbitrary OS commands with root privileges on Palo Alto Networks Expedition. This can lead to the disclosure of highly sensitive information including usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as HIGH. There is potential for subsequent system confidentiality impact, while integrity and availability of subsequent systems are not directly affected.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list.

Patch

A patch is available. Palo Alto Networks has released security updates to address this vulnerability. The patch information can be found at https://security.paloaltonetworks.com/PAN-SA-2024-0010.

Mitigation

1. Apply the security patch immediately from https://security.paloaltonetworks.com/PAN-SA-2024-0010. 2. If immediate patching is not possible: - Restrict network access to the Palo Alto Networks Expedition system, allowing only trusted IP addresses. - Implement strong network segmentation to isolate the Expedition system from other critical network components. - Monitor for any suspicious activities or unauthorized access attempts on the Expedition system. - Regularly review and audit user accounts, passwords, and API keys associated with PAN-OS firewalls. - Implement additional layers of authentication and access controls where possible. - Consider temporarily disabling the Expedition system if it's not critical for operations until the patch can be applied. 3. Conduct a thorough security assessment of your network to identify any potential compromises or unauthorized access. 4. Update Palo Alto Networks Expedition to version 1.2.96 or later, as versions from 1.2.0 to earlier than 1.2.96 are affected.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9463

Oct 9, 2024 at 5:15 PM
CVSS

A CVSS base score of 9.9 has been assigned.

Oct 9, 2024 at 5:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9463. See article

Oct 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 9, 2024 at 5:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.3%)

Oct 10, 2024 at 10:30 AM
Threat Intelligence Report

CVE-2024-9463 is a critical vulnerability with a CVSS score of 9.9, allowing unauthenticated attackers to execute OS commands as root and access sensitive data, including usernames, cleartext passwords, and PAN-OS firewall API keys. The details regarding exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors are not provided in the available information. See article

Oct 10, 2024 at 10:50 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731836)

Oct 11, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152293)

Oct 11, 2024 at 7:53 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 15, 2024 at 3:10 PM / nvd
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/expedition
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

security.paloaltonetworks.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

CVE ID
Device details : PAN-PA-5060 / Palo Alto There are 6 CVEs in the advisory. DESCRIPTION: CVE-2024-9463: CVSS: 9.9 CVE-2024-9464: CVSS: 9.3 CVE-2024-9465: CVSS: 9.2 CVE-2024-9466:
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL)
CVE-2024-9464 9.3 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. CVE CVSS Summary CVE-2024-9463 9.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, & CVE-2024-9467)
This SQL injection vulnerability allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. Successful exploitation may allow attackers to access sensitive data, such as user credentials, to help take over firewall admin accounts.
See 8 more references

News

Weekly Security Sprint EP 90. CISA future, more liability, and password problems
Canadian Centre for Cyber Security – Alert – Securing Palo Alto management interfaces from exploitation . CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
Ruleset Update Summary - 2024/11/19 - v10745
2057709 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (windpull .cyou in TLS SNI) (malware.rules) 2057708 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (windpull .cyou) (malware.rules)
CVE-2024-9463 Exploitation
CVE Id : CVE-2024-9463 Published Date: 2024-11-14T00:00:00+00:00 An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog inTheWild added CVE-2024-9463 to the list of known exploited vulnerabilities.
Middle East Cybersecurity in 2024: From Zero-Day Exploits to Supply Chain Attacks 
In 2024, the Middle East faces an escalating wave of cyberattacks amid its rapid digital transformation, with zero-day exploits and advanced attack techniques targeting critical infrastructure, government entities, and supply chains. In response, regional governments are strengthening Middle East cybersecurity frameworks, with nations like Qatar, Saudi Arabia, and Oman enforcing stricter regulations and fostering cross-sector collaboration.
See 168 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI