Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
A vulnerability in the Palo Alto Networks migration system is at a level of “critical” severity.
That’s the warning from the US Cybersecurity and Infrastructure Security Agency (CISA), which raised the alarm about the security flaw to Palo Alto’s Expedition migration tool on Nov. 7. Expedition is used primarily to migrate configurations to Palo Alto from vendors like Checkpoint, Cisco, and others.
Way in. Known as CVE-2024-5910, the vulnerability allows attackers to infiltrate systems without authentication, allowing “an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA said in its notice.
The vulnerability was discovered in July by Brian Hysell of Synopsys CyRC. Palo Alto patched the flaw, but the danger is ongoing.
Researcher Zach Hanley, of Horizon3.ai, found that CVE-2024-5910 can be used in conjunction with CVE-2024-9464, a command injection vulnerability that “allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls,” to facilitate arbitrary command executions.
“At the time of writing, there are approximately 23 Expedition servers exposed to the internet, which makes sense given it doesn’t seem to be an application that would need to be exposed given its function,” Hanley wrote in a post detailing the exploit.
Locking up. As IT Brew reported in April, cybersecurity consolidation has been a priority for Palo Alto and competitors like CrowdStrike, who have encouraged their customers to use the all-in-one services they offer rather than a variety of vendors. While that approach does reduce the threat surface, it does leave the door open to exploits like CVE-2024-5910, where attackers can use a way in to cause widespread damage.
After CrowdStrike’s meltdown in July, Palo Alto was one of the firms most eager to cut into their market share. “The recent outage has caused a number of customers to reevaluate their options,” CEO Nikesh Arora told investors in August. But as the latest vulnerability warning shows, there’s enough insecurity to go around.