Exploit
CVE-2024-9464

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Oct 9, 2024 / Updated: 41d ago

010
CVSS 9.3EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Impact

This vulnerability has a critical severity with a CVSS v4 base score of 9.3. The impact is severe as it allows authenticated attackers to execute arbitrary OS commands with root privileges on Expedition. This can lead to the disclosure of sensitive information including usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. The attack vector is network-based with low attack complexity, requiring no user interaction. The vulnerability affects the confidentiality, integrity, and availability of the vulnerable system at a high level. There is also a high impact on the confidentiality of subsequent systems, although integrity and availability of subsequent systems are not directly affected.

Exploitation

One proof-of-concept exploit is available on github.com. Its exploitation has been reported by various sources, including bleepingcomputer.com.

Patch

As of the current information provided, there is no specific mention of an available patch. The security team should closely monitor Palo Alto Networks' security advisories for patch information and apply it as soon as it becomes available.

Mitigation

While waiting for a patch, consider the following mitigation strategies: 1. Limit network access to the Expedition system to only necessary and trusted IP addresses. 2. Implement strong authentication mechanisms and regularly rotate credentials for Expedition access. 3. Monitor Expedition systems for any suspicious activities or unauthorized access attempts. 4. If possible, consider temporarily isolating or disabling Expedition systems until a patch is available, weighing the risk against operational needs. 5. Regularly backup Expedition configurations and data, ensuring the backups are stored securely and separately from the vulnerable system. 6. Review and restrict user privileges on Expedition to the minimum necessary for operation. 7. Implement additional network segmentation to limit potential lateral movement if the system is compromised.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9464

Oct 9, 2024 at 5:15 PM
CVSS

A CVSS base score of 9.3 has been assigned.

Oct 9, 2024 at 5:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9464. See article

Oct 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 9, 2024 at 5:24 PM
Threat Intelligence Report

On 9 October 2024, Palo Alto released an advisory for CVE-2024-9464, detailing a critical vulnerability, though specific details such as CVSS score, exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors were not provided in the announcement. Further investigation into the advisory is necessary to assess the full implications of this vulnerability. See article

Oct 9, 2024 at 5:26 PM
Exploitation in the Wild

Attacks in the wild have been reported by BleepingComputer. See article

Oct 9, 2024 at 7:01 PM / BleepingComputer
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 10, 2024 at 2:11 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.3%)

Oct 10, 2024 at 10:30 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731836)

Oct 11, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/expedition
+null more

Exploits

https://github.com/horizon3ai/CVE-2024-9464
+null more

Patches

security.paloaltonetworks.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

CVE ID
Device details : PAN-PA-5060 / Palo Alto There are 6 CVEs in the advisory. DESCRIPTION: CVE-2024-9463: CVSS: 9.9 CVE-2024-9464: CVSS: 9.3 CVE-2024-9465: CVSS: 9.2 CVE-2024-9466:
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL)
CVE-2024-9464 9.3 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. CVE CVSS Summary CVE-2024-9463 9.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, & CVE-2024-9467)
This SQL injection vulnerability allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. Successful exploitation may allow attackers to access sensitive data, such as user credentials, to help take over firewall admin accounts.
See 15 more references

News

CISA Issues Alert on Ongoing Exploitation of Palo Alto Networks Bugs
A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion. A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday.
Palo Alto Networks Discloses Critical Zero-Day Vulnerabilities - CyberQP
CVE-2024-9463 and CVE-2024-9464 are OS command injection vulnerabilities that allow an unauthenticated threat actor to run arbitrary OS commands as root, allowing them to exfiltrate usernames, passwords in clear text, device configuration and PAN-OS firewall API keys. In an additional advisory from November 14 th, which contains a report from CISA, Palo Alto Networks addressed five high and critical vulnerabilities in their Expedition customer migration software, a solution approaching End of Life in January 2025.
Metasploit Weekly Wrap-Up: 11/15/2024
Description: Adds a module to chain CVE-2024-5910, a password reset vulnerability with CVE-2024-9464, an authenticated command-injection vulnerability to gain code execution on PaloAlto Expedition servers between versions after 1.2 and before 1.2.92 with or without knowledge of the credentials. The module makes use of both vulnerabilities in order to obtain unauthenticated RCE in the context of the user www-data.
Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467)
Description: Allows an unauthenticated attacker to execute OS commands as root, exposing sensitive data such as usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls Description: Allows an authenticated user to execute OS commands as root, potentially leading to unauthorized data access and exposure of credentials
CISA warns of more Palo Alto Networks bugs exploited in attacks
While CVE-2024-9463 allows attackers to run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, the second flaw can be exploited to access Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating," it added, saying that these security flaws do not affect its firewall, Panorama, Prisma Access, and Cloud NGFW products.
See 140 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI