Expeditious Fix by Palo Alto Networks for Critical Vulnerability in Expedition Migration Utility

Jul 11, 2024NewsroomVulnerability / Enterprise Security

Palo Alto Networks has rolled out security patches to rectify five security vulnerabilities affecting its products. One of these vulnerabilities, identified as CVE-2024-5910 (CVSS score: 9.

Jul 11, 2024NewsroomVulnerability / Enterprise Security

Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Palo Alto Networks has rolled out security patches to rectify five security vulnerabilities affecting its products. One of these vulnerabilities, identified as CVE-2024-5910 (CVSS score: 9.3), constitutes a notable issue that could result in an authentication bypass.

Termed as a case of absent authentication in its Expedition migration tool, the vulnerability poses a potential risk of a takeover of an admin account.

In an advisory, the company stated, “Unavailability of authentication for a critical function in Palo Alto Networks Expedition may result in an attacker seizing control of an Expedition admin account, provided they have network access to Expedition.” The company also warned, “Data such as configuration secrets, credentials, and other imported information in Expedition are at stake due to this flaw.”

The flaw impacts all editions of Expedition prior to version 1.2.92, which resolves the issue. The discovery and disclosure of the flaw credit go to Brian Hysell of Synopsys Cybersecurity Research Center (CyRC).

Even though there is no concrete evidence of the vulnerability being exploited in the wild, users are advised to update to the most recent version to safeguard against potential threats.

As a temporary measure, Palo Alto Networks suggests limiting network access to Expedition to authorized users, hosts, or networks.

Another issue resolved by the American cybersecurity company is a newfound flaw in the RADIUS protocol dubbed BlastRADIUS (CVE-2024-3596), which could enable a malicious actor with the ability to conduct an adversary-in-the-middle (AitM) attack between a Palo Alto Networks PAN-OS firewall and a RADIUS server to evade authentication.

The vulnerability enables the attacker to “elevate privileges to ‘superuser’ when RADIUS authentication is active and either CHAP or PAP is chosen in the RADIUS server profile,” as mentioned in the communication.

The impacted products encompass:

PAN-OS 11.1 (versions < 11.1.3, resolved in >= 11.1.3)
PAN-OS 11.0 (versions < 11.0.4-h4, resolved in >= 11.0.4-h4)
PAN-OS 10.2 (versions < 10.2.10, resolved in >= 10.2.10)
PAN-OS 10.1 (versions < 10.1.14, resolved in >= 10.1.14)
PAN-OS 9.1 (versions < 9.1.19, resolved in >= 9.1.19)
Prisma Access (all versions, fix anticipated to be released on July 30)

It was also pointed out that CHAP or PAP should not be utilized unless they are under an encrypted tunnel since these authentication protocols lack Transport Layer Security (TLS). They are secure if used in tandem with a TLS tunnel.

Nonetheless, it’s noteworthy that PAN-OS firewalls configured to utilize EAP-TTLS with PAP as the authentication protocol for a RADIUS server are also immune to the exploit.

Found this article intriguing? Stay connected with us on Twitter and LinkedIn for more exclusive content updates.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts