Palo Alto Networks is alerting administrators to six critical vulnerabilities in its Expedition configuration migration tool that require immediate attention for patching.
These multiple vulnerabilities enable attackers to read contents from the Expedition database and access arbitrary files, as well as write files to temporary storage locations on the Expedition system, according to a security advisory released by the company this week.
Expedition allows administrators to transfer firewall configurations from other vendor products — including those from Cisco Systems — to a Palo Alto Networks product. Consequently, this data at risk encompasses usernames, plaintext passwords, device configurations, and device API keys belonging to firewalls operating on Palo Alto’s PAN-OS.
While the vulnerabilities do not directly impact Panorama, Prisma Access, or Cloud NGFW firewalls, Palo Alto Networks has assigned a CVSS base score of 9.9 to the vulnerabilities due to the sensitivity of the information that could be compromised. To date, the company has reported no knowledge of any malicious exploitation of these vulnerabilities.
The updates can be found in Expedition version 1.2.96 and subsequent releases.
The company has advised that all usernames, passwords, and API keys related to Expedition should be changed after upgrading to the corrected version of the application. Furthermore, all firewall usernames, passwords, and API keys that are handled by Expedition should also be updated following the upgrade.
In cases where updating Expedition is not immediately possible, administrators should ensure that access to the tool is limited to only authorized users, hosts, or networks until the new version is deployed.
Typically, Expedition is installed on a Ubuntu server and is accessed via a web service. Administrators utilizing it for integration are required to input the credentials for each necessary system, as indicated by researchers from Horizon3.ai, who identified four of the vulnerabilities.
The identified vulnerabilities include:
This particular flaw was first revealed by researchers at Horizon3.ai, who subsequently uncovered three additional vulnerabilities. In their blog, the researchers mentioned that they came across this issue while searching on Google for “palo alto expedition reset admin password.” They discovered that a straightforward PHP request to an endpoint on the web service could reset the admin password. Although gaining admin access to Expedition did not inherently permit viewing of all stored credentials, as many files were located in a directory functioning as the web root, they continued to pursue and identified a method to exploit their newfound access.
At the time of sharing their findings earlier this week, Horizon3 researchers had identified a mere 23 Expedition servers publicly accessible on the internet, noting that this number made sense since it is not a tool typically requiring exposure.
