The Cybersecurity and Infrastructure Security Agency (CISA) on Nov. 7 warned that attackers are exploiting a Palo Alto Expedition missing authentication vulnerability that lets threat actors with network access takeover an Expedition admin account and access configuration secrets and credentials.
Expedition is a Palo Alto migration tool that lets security teams convert firewall configurations from Checkpoint, Cisco, and other vendors, to the Palo Alto Networks operating system (PAN-OS).
The critical 9.3 flaw — CVE-2024-5910 — was patched in July, but threat actors have been remotely exploiting it, which led to CISA issuing the advisory. Palo Alto Networks also updated its site Nov. 7, acknowledging that CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
A missing authentication vulnerability occurs when software doesn't verify a user's identity before giving them access to a privileged application function. Once an attacker gains access, they can change configuration settings or gain administrative access.
While tools like Palo Alto Networks Expedition are typically intended for restricted use by authorized users only, configurations can sometimes deviate from this best practice, said Adam Ochayon, solutions architect at Oasis Security.
Ochayon said often these network restrictions are not implemented correctly or tightly enough, exposing such tools to wider access. And, even when these tools are restricted internally, vulnerabilities like CVE-2024-5910 let attackers with minimal network access bypass these restrictions by exploiting weaknesses in the software itself.
“The expectation that these tools are secure because of their ‘intended’ restriction highlights a common misconception,” said Ochayon. “Security practitioners have found that non-human identities (NHIs), like machine and service accounts, often operate without the rigorous security and monitoring measures applied to human users, despite their privileged access.”
Ochayon outlined three main dangers from this type of missing authentication vulnerability:
- Unauthorized access and credential reset: CVE-2024-5910 lets attackers reset Expedition admin credentials without proper authentication. This means they can gain admin-level control over Expedition, accessing sensitive configuration data that could include stored credentials and secrets used in firewall migrations.
- Potential for chained exploits: Security researchers have shown how attackers can combine CVE-2024-5910 with other vulnerabilities, such as CVE-2024-9464, to escalate privileges, execute arbitrary commands, and even take over PAN-OS firewalls. This kind of chaining represents a significant escalation from a mere configuration exposure to full network control.
- Risks from non-human identities (NHIs): Many applications rely on machine-to-machine communication, often through API keys and service accounts. These NHIs, if exposed, can offer attackers extended network access and control beyond the initially compromised system.
John Bambenek, president at Bambenek Consulting, added that a subset of organizations set up Expedition servers to help migrate their network devices to Palo Alto Networks, but in most cases, they probably shouldn’t be internet accessible.
“This vulnerability lets attackers reach out and take over these devices without authentication and they are the kind of tool teams set up for a tactical reason,” said Bambenek. “Once the work gets done, you forget about it. If, for whatever reason, you can't shut it down, get these devices off the open internet.”
