Palo Alto Networks recently released security updates to address vulnerabilities in its products, focusing on a critical flaw in its Expedition migration tool that could potentially grant attackers complete control over administrator accounts. This vulnerability, known as CVE-2024-5910, has a high CVSS score of 9.3 and arises from a lack of authentication within the Expedition migration tool, leaving it open to exploitation by malicious actors with network access.
The implications of a compromised administrator account in the Expedition migration tool are severe. According to Palo Alto Networks’ advisory, sensitive information such as configuration secrets and credentials imported into Expedition could be at risk and exposed to attackers who exploit this vulnerability. This vulnerability impacts all versions of Expedition prior to 1.2.92, which has since been patched to address the issue. While there have been no reported instances of active exploitation, Palo Alto Networks strongly advises users to update Expedition to the latest version as a precautionary measure.
As a temporary solution, Palo Alto Networks recommends restricting network access to Expedition to authorized users, devices, and networks to minimize the risk of unauthorized access. In addition to the Expedition migration tool vulnerability, the company also addressed a newly discovered flaw in the RADIUS protocol, named Blast-RADIUS. Tracked as CVE-2024-3596, this vulnerability could allow attackers to bypass authentication procedures on Palo Alto Networks firewalls that use RADIUS servers.
Blast-RADIUS exploits a situation where an attacker positions themselves between a Palo Alto Networks PAN-OS firewall and a RADIUS server, executing a “man-in-the-middle” attack. This could potentially enable the attacker to escalate privileges to a “superuser” level when RADIUS authentication is in use with CHAP or PAP selected in the RADIUS server profile. CHAP and PAP are authentication protocols that lack TLS encryption, making them vulnerable to exploitation unless encapsulated within an encrypted tunnel.
PAN-OS firewalls configured to use EAP-TTLS with PAP for RADIUS server authentication are not susceptible to this exploit. Palo Alto Networks has identified several impacted PAN-OS versions and has already released fixes for most of them. Users are advised to update their systems to the following fixed versions:
– PAN-OS 11.1 (versions >= 11.1.3)
– PAN-OS 11.0 (versions >= 11.0.4-h4)
– PAN-OS 10.2 (versions >= 10.2.10)
– PAN-OS 10.1 (versions >= 10.1.14)
– PAN-OS 9.1 (versions >= 9.1.19)
A fix for Prisma Access is expected to be available by July 30 to address potential vulnerabilities. It is crucial for users to stay proactive in updating their systems and implementing security measures recommended by Palo Alto Networks to safeguard against potential threats and unauthorized access.