Palo Alto Networks has issued a warning to administrators about six critical vulnerabilities found in its Expedition configuration migration tool that require immediate attention.
These multiple vulnerabilities enable an attacker to access the Expedition database contents and arbitrary files, as well as the ability to write arbitrary files to temporary storage areas on the Expedition system, as indicated in a security advisory released by the company this week.
Expedition provides administrators with the capability to transfer their firewall configurations from other vendors’ products, including those from Cisco Systems, to a Palo Alto Networks solution. Consequently, this represents a risk to sensitive data such as usernames, plaintext passwords, device configurations, and API keys of firewalls utilizing Palo Alto’s PAN-OS operating system.
Although these vulnerabilities do not directly impact Panorama, Prisma Access, or Cloud NGFW firewalls, Palo Alto Networks has assigned a CVSS base score of 9.9 to them, highlighting the critical nature of the information that could potentially be compromised. To date, the company has stated that it is unaware of any malicious exploitation of these vulnerabilities.
The latest fixes can be found in Expedition version 1.2.96 and beyond.
Post-upgrade, all usernames, passwords, and API keys associated with Expedition should be changed, as advised by the company. Furthermore, every firewall username, password, and API key that Expedition processes must also be updated following the installation of the fixed version.
In scenarios where immediate upgrading of Expedition isn’t feasible, administrators are urged to limit access to the tool to only authorized users, hosts, or networks until the new version can be deployed.
Typically, Expedition operates on an Ubuntu server and is accessed via a web service. According to researchers at Horizon3.ai, who uncovered four of the weaknesses, administrators must input the credentials for each system requiring integration.
The vulnerabilities were highlighted in the following way:
This particular flaw was first identified by researchers at Horizon3.ai, who later discovered three additional vulnerabilities. In their blog post, the researchers mentioned they came across this issue while conducting a Google search for “palo alto expedition reset admin password.” Their findings revealed that sending a straightforward PHP request to a web service endpoint could reset the admin password. Although gaining admin access to Expedition did not directly facilitate access to all stored credentials, the researchers observed that numerous files were saved in a directory designated as the web root, which led them to explore a method to exploit this access.
As of the time they reported their findings this week, the Horizon3 team discovered only 23 Expedition servers accessible on the internet, which they deemed reasonable since this is not a tool that requires public exposure.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.