Updated:
Status:
CVEs:
Fortra is actively researching a vulnerability in Palo Alto Networks Expedition – CVE-2024-5910. Palo Alto Networks Expedition is a tool designed to assist with migrating other vendor configurations to Palo Alto devices. CVE-2024-5910 allows attackers to remotely reset administrator credentials, gaining complete access to Expedition and all of the data stored within. Customers are recommended to upgrade to a fixed version of Expedition.
Who is affected?
Customers using Palo Alto Expedition version 1.2 before 1.2.92 are vulnerable to CVE-2024-5910.
What can I do?
Palo Alto has released a fix in versions 1.2.92 and later. Customers are recommended to upgrade to a fix version as soon as possible.
For more information about this vulnerability and fix, refer to Palo Alto’s advisory.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below.
Alert Logic Vulnerability Scanning: Alert Logic released authenticated scan coverage on November 20, 2024, and agent-based scan detection on November 21 to identify this vulnerability.
Core Impact: The module for Core Impact was delivered on November 11, 2024. This module exploits CVE-2024-5910 to reset the password of the admin. To do this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and exploit CVE-2024-9464 to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user, we can abuse this endpoint for inserting commands in the table cronjobs from pandb. After inserting the command into this table, the target will execute it.
Tripwire IP360: Tripwire released scan coverage on November 20, 2024, to identify vulnerable instances. If the vulnerability is found, Tripwire vulnerability 677111 will match for CVE-2024-5910.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
11/11/2024: Core Impact delivered a module to exploit CVE-2024-5910.
11/20/2024: Alert Logic and Tripwire released scan coverage to identify vulnerable instances.
11/21/2024: Alert Logic released agent-based scan detection to identify vulnerable instances.