Help
FortiNDRCloud
SaaS based NDR solution providing 365 days data retention, along with Technical Success Manager
kcheung
Staff
Staff

Created on ‎11-25-2024 11:03 PM Edited on ‎11-26-2024 08:35 AM

Article Id 359923

FortiGuard Outbreak Alert: Palo Alto Expedition Missing Authentication Vulnerability

Description

Palo Alto Expedition is a tool that assists in migrating configuration from a supported vendor to Palo Alto Networks.

FortiGuard Labs have observed activity relating to the Palo Alto Expedition Missing Authentication Vulnerability.

 

CVE-2024-5910 is a missing authentication vulnerability in Palo Alto Expedition which allows unauthenticated attackers to takeover admin account.

CVE-2024-9465 is an SQL injection vulnerability in Palo Alto Expedition which allows unauthenticated attackers to retrieve Expedition database data.

CVE-2024-9463 is an OS command injection vulnerability in Palo Alto Expedition which allows unauthenticated attackers to run OS commands as root.

 

The following versions of Palo Alto Expedition is vulnerable:

For CVE-2024-5910: < 1.2.92

For CVE-2024-9465 and CVE-2024-9463: < 1.2.96

CVE ID

CVE-2024-5910 (https://nvd.nist.gov/vuln/detail/CVE-2024-5910)

CVE-2024-9465 (https://nvd.nist.gov/vuln/detail/CVE-2024-9465)

CVE-2024-9463 (https://nvd.nist.gov/vuln/detail/CVE-2024-9463)

NDR Cloud Detection Rule

FortiNDR Cloud v2024.10+

Detection Rule Name

Category

Primary MITRE ID

FortiGuard Outbreak Alert: Palo Alto Expedition Admin Account Takeover Attempt - CVE-2024-5910

Attack:Exploitation

T1190 - Exploit Public-Facing Application

FortiGuard Outbreak Alert: Palo Alto Expedition Command Injection Attempt - CVE-2024-9464

Attack:Exploitation

T1190 - Exploit Public-Facing Application

FortiGuard Outbreak Alert: Palo Alto Expedition SQL Injection Attempt - CVE-2024-9465

Attack:Exploitation

T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Palo Alto Expedition Missing Authentication Vulnerability” related activities  
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=palo%20alto%20expedition%20vulnerability

All IOCs listed above have been added to Intel Management as Indicators

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2056640 -> ET WEB_SPECIFIC_APPS Palo Alto Expedition Unauthenticated Admin Password Reset (CVE-2024-5910)

2056642 -> ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465)

2057721 -> ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:
https://www.fortiguard.com/outbreak-alert/palo-alto-expedition-vulnerability
71
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.