Palo Alto Networks has issued security updates to address vulnerabilities impacting its products, including a critical vulnerability in its Expedition migration tool that could grant attackers complete administrator control.
This critical vulnerability, designated CVE-2024-5910, boasts a CVSS score of 9.3 and stems from a lack of authentication within the Expedition migration tool. This missing safeguard could allow malicious actors with network access to Expedition to seize administrative accounts.
All Expedition Versions Before 1.2.92 At Risk
The ramifications of a compromised Expedition migration tool admin account are significant. According to the Palo Alto Networks advisory, “configuration secrets, credentials, and other data imported into Expedition is at risk” and would be exposed to attackers who exploit this flaw.
The vulnerability affects all versions of Expedition prior to 1.2.92, which incorporates a fix. Thankfully, there’s no evidence of this vulnerability being actively exploited. However, Palo Alto Networks strongly recommends updating Expedition to the latest version to mitigate potential threats.
As a temporary workaround, Palo Alto Networks advises restricting network access to Expedition solely to authorized users, devices and networks.
Palo Alto Firewalls Face Blast-RADIUS
In addition to the Expedition migration tool flaw, Palo Alto Networks also addressed a recently discovered vulnerability in the RADIUS protocol, dubbed Blast-RADIUS. This vulnerability, tracked as CVE-2024-3596, could enable attackers to bypass authentication procedures on Palo Alto Networks firewalls leveraging RADIUS servers.
Technical details delve into how Blast-RADIUS exploits a scenario where an attacker positions themselves between a Palo Alto Networks PAN-OS firewall and a RADIUS server, launching a so-called “man-in-the-middle” attack. This maneuver allows the attacker to potentially “escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile,” as outlined in the Palo Alto Networks advisory.
For those unfamiliar, CHAP (Challenge-Handshake Authentication Protocol) and PAP (Password Authentication Protocol) are two authentication protocols that, according to the advisory, “should not be used unless they are encapsulated by an encrypted tunnel” due to their lack of inherent Transport Layer Security (TLS) encryption. Luckily, PAN-OS firewalls configured to utilize EAP-TTLS with PAP for RADIUS server authentication are not susceptible to this exploit.
“Palo Alto Networks is aware of proof of concept code demonstrating how to exploit this generic issue.”
Palo Alto Networks has identified several PAN-OS versions impacted by Blast-RADIUS, with fixes already available for most.
The following PAN-OS versions are impacted:
- PAN-OS 11.1 (fixed in versions >= 11.1.3)
- PAN-OS 11.0 (fixed in versions >= 11.0.4-h4)
- PAN-OS 10.2 (fixed in versions >= 10.2.10)
- PAN-OS 10.1 (fixed in versions >= 10.1.14)
- PAN-OS 9.1 (fixed in versions >= 9.1.19)
A fix for Prisma Access is anticipated by July 30.
