CVE-2024-9466

Insertion of Sensitive Information into Log File (CWE-532)

Published: Oct 9, 2024 / Updated: 41d ago

010
CVSS 8.2EPSS 0.04%High
CVE info copied to clipboard

Summary

A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials. This vulnerability affects Palo Alto Networks Expedition versions 1.2.0 up to (but not including) 1.2.96.

Impact

This vulnerability could lead to the exposure of critical firewall credentials and API keys. An authenticated attacker with local access could potentially gain unauthorized access to firewall systems, compromising the security of the entire network infrastructure. The CVSS v4 base score is 8.2 (High severity), indicating a significant risk. The vulnerability primarily affects the confidentiality of the vulnerable system and subsequent systems, with no direct impact on integrity or availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch. However, Palo Alto Networks has released a security advisory (PAN-SA-2024-0010) related to this vulnerability. The security team should monitor Palo Alto Networks' security advisories for updates on patching information for the Expedition product.

Mitigation

1. Restrict and monitor local access to systems running Palo Alto Networks Expedition. 2. Implement strong authentication mechanisms and regularly rotate credentials for users with access to Expedition. 3. Monitor logs for any suspicious activities related to credential access or API key usage. 4. Consider implementing network segmentation to limit the potential impact if credentials are compromised. 5. Regularly audit and review firewall configurations and access policies. 6. Keep the Palo Alto Networks Expedition software updated to the latest version as soon as a patch becomes available. 7. If possible, consider upgrading to version 1.2.96 or later of Palo Alto Networks Expedition, as the vulnerability affects versions from 1.2.0 up to (but not including) 1.2.96.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9466

Oct 9, 2024 at 5:15 PM
CVSS

A CVSS base score of 8.2 has been assigned.

Oct 9, 2024 at 5:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9466. See article

Oct 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 9, 2024 at 5:24 PM
Threat Intelligence Report

CVE-2024-9466 is a critical vulnerability that involves the Expedition server retaining cleartext credentials in a world-readable log file, which should only store API keys. This issue poses significant security risks as it exposes sensitive information, although no specific CVSS score, exploitation details, or mitigations are provided in the available information. The vulnerability was reported and is part of a broader advisory that includes other related CVEs released by Palo Alto on 9 October 2024. See article

Oct 9, 2024 at 5:26 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 10, 2024 at 10:30 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731836)

Oct 11, 2024 at 7:53 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 15, 2024 at 3:10 PM / nvd
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/expedition
+null more

Patches

security.paloaltonetworks.com
+null more

Links to Mitre Att&cks

T1552.004:
+null more

Attack Patterns

CAPEC-215: Fuzzing for application mapping
+null more

References

CVE ID
Device details : PAN-PA-5060 / Palo Alto There are 6 CVEs in the advisory. DESCRIPTION: CVE-2024-9463: CVSS: 9.9 CVE-2024-9464: CVSS: 9.3 CVE-2024-9465: CVSS: 9.2 CVE-2024-9466:
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL)
CVE-2024-9464 9.3 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. CVE CVSS Summary CVE-2024-9463 9.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, & CVE-2024-9467)
This SQL injection vulnerability allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. Successful exploitation may allow attackers to access sensitive data, such as user credentials, to help take over firewall admin accounts.
See 12 more references

News

Palo Alto Networks Expedition Multiple Vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467)
Description: Allows an unauthenticated attacker to execute OS commands as root, exposing sensitive data such as usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls Description: Allows an authenticated user to execute OS commands as root, potentially leading to unauthorized data access and exposure of credentials
More bugs in Palo Alto Expedition see active exploitation, CISA warns
The two bugs in Palo Alto’s Expedition tool, tracked as CVE-2024-9463 and CVE-2024-9465, could expose firewall credentials and affect versions 1.2.96 and below, according to the vendor alert. The Cybersecurity and Infrastructure Security Agency warned Thursday that a vulnerability in Palo Alto Networks’ firewall management software is actively being exploited in the wild, following last week’s attacks that exploited other flaws in the same software.
U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog | #ransomware | #cybercrime
CVE-2024-9463 (CVSS 9.9) – A command injection vulnerability in Palo Alto Networks’ Expedition allows unauthenticated attackers to execute OS commands as root, exposing usernames, passwords, configurations, and API keys of PAN-OS firewalls. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Networks Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog :
U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog | #ransomware | #cybercrime
CVE-2024-9463 (CVSS 9.9) – A command injection vulnerability in Palo Alto Networks’ Expedition allows unauthenticated attackers to execute OS commands as root, exposing usernames, passwords, configurations, and API keys of PAN-OS firewalls. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Networks Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog :
U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
CVE-2024-9463 (CVSS 9.9) – A command injection vulnerability in Palo Alto Networks’ Expedition allows unauthenticated attackers to execute OS commands as root, exposing usernames, passwords, configurations, and API keys of PAN-OS firewalls. CVE-2024-9466 (CVSS 8.2) – A vulnerability in Palo Alto Networks Expedition allows authenticated attackers to access sensitive information, revealing firewall usernames, passwords, and API keys stored in cleartext.
See 84 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI