CVE-2024-9465

Summary

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksExpedition1.2.0 < 1.2.96affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Workarounds

Ensure networks access to Expedition is restricted to authorized users, hosts, or networks.

You can check for an indicator of compromise with the following command on an Expedition system (replace "root" with your username if you are using a different username):

    mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"

If you see any records returned, this indicates a potential compromise. Please note that if no records are returned, the system may still be compromised. This is only intended to indicate a potential compromise, rather than confirm a system has not been compromised.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References