Exploit
CVE-2024-9465

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 9, 2024 / Updated: 41d ago

010
CVSS 9.2EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Impact

This vulnerability has a critical severity with a CVSS v4 base score of 9.2. The impact is severe as it allows unauthenticated attackers to access sensitive information from the Expedition database, including password hashes, usernames, device configurations, and API keys. Additionally, attackers can create and read arbitrary files on the Expedition system, potentially leading to further compromise. The attack vector is network-based with low attack complexity, requiring no user interaction or privileges, making it highly exploitable. The vulnerability primarily affects the confidentiality of the vulnerable system, with a high impact on data confidentiality and a low impact on data integrity.

Exploitation

One proof-of-concept exploit is available on github.com. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including securityonline.info.

Patch

A patch is available. Palo Alto Networks has released security advisory PAN-SA-2024-0010 on October 15, 2024, which likely contains patch information. The security team should refer to this advisory at https://security.paloaltonetworks.com/PAN-SA-2024-0010 for specific patching instructions.

Mitigation

Given the critical nature of this vulnerability, immediate action is recommended: 1. Apply the patch provided in the Palo Alto Networks security advisory PAN-SA-2024-0010 as soon as possible. 2. Implement network segmentation to limit access to Expedition systems from untrusted networks. 3. Apply strict firewall rules to control incoming traffic to Expedition servers. 4. Regularly monitor and audit Expedition systems for any signs of compromise or unauthorized access. 5. Implement strong authentication mechanisms and regularly rotate credentials for Expedition systems. 6. Consider temporarily isolating Expedition systems if immediate patching is not possible. 7. Implement input validation and parameterized queries to prevent SQL injection attacks. 8. Use the principle of least privilege for database accounts used by Expedition. 9. Encrypt sensitive data stored in the Expedition database. 10. Implement robust logging and monitoring for Expedition systems to detect potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9465

Oct 9, 2024 at 5:15 PM
CVSS

A CVSS base score of 9.2 has been assigned.

Oct 9, 2024 at 5:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9465. See article

Oct 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 9, 2024 at 5:24 PM
Threat Intelligence Report

The Palo Alto Advisory released on 9 October 2024 addresses vulnerabilities CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466, including CVE-2024-9465. However, the specific details regarding the criticality, CVSS score, exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts for CVE-2024-9465 are not provided in the available information. Further investigation into the advisory is necessary to obtain comprehensive details on this vulnerability. See article

Oct 9, 2024 at 5:26 PM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 10, 2024 at 2:11 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 10, 2024 at 10:30 AM
Exploitation in the Wild

Attacks in the wild have been reported by Cybersecurity News. See article

Oct 11, 2024 at 1:49 AM / Cybersecurity News
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731836)

Oct 11, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/expedition
+null more

Exploits

https://github.com/horizon3ai/CVE-2024-9465
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

security.paloaltonetworks.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

CVE ID
Device details : PAN-PA-5060 / Palo Alto There are 6 CVEs in the advisory. DESCRIPTION: CVE-2024-9463: CVSS: 9.9 CVE-2024-9464: CVSS: 9.3 CVE-2024-9465: CVSS: 9.2 CVE-2024-9466:
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL)
CVE-2024-9464 9.3 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. CVE CVSS Summary CVE-2024-9463 9.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, & CVE-2024-9467)
This SQL injection vulnerability allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. Successful exploitation may allow attackers to access sensitive data, such as user credentials, to help take over firewall admin accounts.
See 12 more references

News

Weekly Security Sprint EP 90. CISA future, more liability, and password problems
Canadian Centre for Cyber Security – Alert – Securing Palo Alto management interfaces from exploitation . CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
Palo Alto Networks issues security updates for two zero-day vulnerabilities
Palo Alto Networks has issued crucial security updates aimed at addressing two zero-day vulnerabilities in its next-generation firewalls (NGFW), both of which have been actively exploited in real-world attacks. While Palo Alto Networks noted that only a limited number of management interfaces have been exploited, devices not adhering to best practices such as those with unrestricted internet access are at significantly higher risk.
CISA Issues Alert on Ongoing Exploitation of Palo Alto Networks Bugs
A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion. A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday.
Palo Alto Networks Discloses Critical Zero-Day Vulnerabilities - CyberQP
CVE-2024-9463 and CVE-2024-9464 are OS command injection vulnerabilities that allow an unauthenticated threat actor to run arbitrary OS commands as root, allowing them to exfiltrate usernames, passwords in clear text, device configuration and PAN-OS firewall API keys. In an additional advisory from November 14 th, which contains a report from CISA, Palo Alto Networks addressed five high and critical vulnerabilities in their Expedition customer migration software, a solution approaching End of Life in January 2025.
See 179 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI