Remote administration password reset puts entire networks at risk.
On July 10, 2024, Palo Alto issued an alert regarding the presence of the CVE-2024-5910 vulnerability, which allowed attackers to remotely reset administrator credentials in the Expedition application. Although the Expedition application itself is not as widely known, its goal is to facilitate and speed up the migration of network device configurations from other manufacturers, such as Checkpoint or Cisco, to Palo Alto Networks. Successful exploitation of this vulnerability could give attackers full control over the Expedition administrator account while having network access.
After studying the documentation, it became clear that this application could be of significant interest to attackers, since it integrates with network devices through a web service, and the credentials are stored on a server running Ubuntu.
During testing, the researchers found that a request to a specific web service endpoint allowed the administrator password to be reset. However, gaining administrative access is only the first step and does not give access to all stored credentials. To do this, it was necessary to perform remote code execution on the server.
In the process of examining the code of the web service, several vulnerable files were identified, in particular, the CronJobs.php file. This file allows you to execute commands passed through query parameters, which can be used to inject commands. For example, if there is a valid session, the user could insert a malicious command into the database and force the server to execute it.
As a result, the CVE-2024-9464 vulnerability allowed attackers to execute commands on the server, which made it possible to extract credentials through SQL queries. One such command was a request that returned all API keys and passwords in plain text.
In addition, other vulnerabilities were discovered, including CVE-2024-9465, a SQL injection without authentication, and CVE-2024-9466, a cleartext entry of credentials in log files. These vulnerabilities allowed attackers to access sensitive information even without having an account.
At the time of writing, 23 open Expedition servers have been identified on the Internet that may be subject to attacks, making patching these vulnerabilities critical to ensuring the security of servers and stored data.
Source
On July 10, 2024, Palo Alto issued an alert regarding the presence of the CVE-2024-5910 vulnerability, which allowed attackers to remotely reset administrator credentials in the Expedition application. Although the Expedition application itself is not as widely known, its goal is to facilitate and speed up the migration of network device configurations from other manufacturers, such as Checkpoint or Cisco, to Palo Alto Networks. Successful exploitation of this vulnerability could give attackers full control over the Expedition administrator account while having network access.
After studying the documentation, it became clear that this application could be of significant interest to attackers, since it integrates with network devices through a web service, and the credentials are stored on a server running Ubuntu.
During testing, the researchers found that a request to a specific web service endpoint allowed the administrator password to be reset. However, gaining administrative access is only the first step and does not give access to all stored credentials. To do this, it was necessary to perform remote code execution on the server.
In the process of examining the code of the web service, several vulnerable files were identified, in particular, the CronJobs.php file. This file allows you to execute commands passed through query parameters, which can be used to inject commands. For example, if there is a valid session, the user could insert a malicious command into the database and force the server to execute it.
As a result, the CVE-2024-9464 vulnerability allowed attackers to execute commands on the server, which made it possible to extract credentials through SQL queries. One such command was a request that returned all API keys and passwords in plain text.
In addition, other vulnerabilities were discovered, including CVE-2024-9465, a SQL injection without authentication, and CVE-2024-9466, a cleartext entry of credentials in log files. These vulnerabilities allowed attackers to access sensitive information even without having an account.
At the time of writing, 23 open Expedition servers have been identified on the Internet that may be subject to attacks, making patching these vulnerabilities critical to ensuring the security of servers and stored data.
Source
