CVE-2024-9465
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Amber
Summary
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | Expedition | 1.2.0 < 1.2.96 | affected |
Weaknesses
- CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Workarounds
Ensure networks access to Expedition is restricted to authorized users, hosts, or networks.
You can check for an indicator of compromise with the following command on an Expedition system (replace "root" with your username if you are using a different username):
mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"
If you see any records returned, this indicates a potential compromise. Please note that if no records are returned, the system may still be compromised. This is only intended to indicate a potential compromise, rather than confirm a system has not been compromised.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://security.paloaltonetworks.com/PAN-SA-2024-0010
- https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.