CVE-2024-9465
published 2024-10-09CVE-2024-9465: An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password…
PriorityP198critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-05
Exploited in the wild
EPSS
99.60%
99.9th percentile
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | expedition | >= 1.2.0 < 1.2.96 | 1.2.96 |
| paloalto | pan-os | — | — |
| paloalto | panorama | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | expedition | >= 1.2.0 < 1.2.96 | 1.2.96 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test)↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bin/configurations/parsers/Checkpoint/CHECKPOINT.php"; fast_pattern; http.request_body; content:"action|3d|import"; content:"signatureid|3d|"; pcre:"/^[^\x26]*(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)?/i"; reference:url,www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/; reference:cve,2024-9465; classtype:web-application-attack; sid:2056642; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_10, cve CVE_2024_9465, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect exploitation attempts by monitoring for unauthenticated POST requests to /bin/configurations/parsers/Checkpoint/CHECKPOINT.php with body parameters action=import and signatureid containing SQL time-based blind injection payloads (e.g., SLEEP()). ↗
- →Use the Nuclei template's two-step flow: first confirm the endpoint is live by checking for 'ruleBasesNames' in the response body to a GET-type probe, then send the time-based SQLi payload and flag if response duration >= 6 seconds. ↗
- →Identify exposed Expedition instances via Shodan using favicon hash 1499876150 to scope detection and hunting efforts. ↗
- →The Snort/ET rule (sid:2056642) inspects POST body for 'action=import' and 'signatureid=' combined with SQL keywords (SELECT, UNION, INSERT, DELETE, UPDATE, SHOW) via PCRE to catch a broad range of SQLi payloads against this endpoint.
- →CVE-2024-9465 is actively exploited in the wild and listed in CISA KEV; prioritize detection on internet-exposed Expedition instances and alert on any unauthenticated access to the vulnerable CHECKPOINT.php endpoint. ↗
- →CVE-2024-9465 can be chained with CVE-2024-5910 (missing authentication, admin credential reset) and CVE-2024-9464 (authenticated command injection) to achieve full unauthenticated RCE as root; monitor for sequential exploitation of these endpoints. ↗
- ·The vulnerability only affects Palo Alto Networks Expedition versions prior to 1.2.96; it does not affect PAN-OS firewalls, Panorama, Prisma Access, or Cloud NGFW. ↗
- ·The Nuclei template uses a time-based blind SQLi detection method with a 6-second sleep threshold; tuning the timeout threshold may be necessary in high-latency environments to avoid false negatives or false positives. ↗
- ·The ET Snort rule (sid:2056642) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect HTTPS traffic to Expedition; without SSL inspection the rule will not fire on encrypted sessions.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
vulncheck9.2CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9f2c-45xq-c486: An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as pas
ghsa_unreviewed·2024-10-09
CVE-2024-9465 [CRITICAL] CWE-89 GHSA-9f2c-45xq-c486: An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as pas
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
VulnCheck
Palo Alto Networks Expedition SQL Injection Vulnerability
vulncheck·2024·CVSS 9.2
CVE-2024-9465 [CRITICAL] CWE-89 Palo Alto Networks Expedition SQL Injection Vulnerability
Palo Alto Networks Expedition SQL Injection Vulnerability
Palo Alto Networks Expedition contains a SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
Affected: Palo Alto Networks Expedition
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.fortiguard.com/outbreak-alert/palo-alto-expedition-vulnerability; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-13&host_type=src&vulnerability=cve-2024-9465; https://dashboard.sha
CISA
Palo Alto Networks Expedition SQL Injection Vulnerability
cisa·2024-11-14·CVSS 9.2
CVE-2024-9465 [CRITICAL] CWE-89 Palo Alto Networks Expedition SQL Injection Vulnerability
Vulnerability: Palo Alto Networks Expedition SQL Injection Vulnerability
Affected: Palo Alto Networks Expedition
Palo Alto Networks Expedition contains a SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://security.paloaltonetworks.com/PAN-SA-2024-0010 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9465
Remediation Due Date: 2024-12-05
Palo Alto
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
vendor_paloalto·2024-10-09·CVSS 9.9
[CRITICAL] CWE-532 PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW. CVE CVSS Summary CVE-2024-9463 9.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as roo
Suricata
ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465)
suricata·2024-10-10·CVSS 9.2
CVE-2024-9465 [CRITICAL] ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465)
ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bin/configurations/parsers/Checkpoint/CHECKPOINT.php"; fast_pattern; http.request_body; content:"action|3d|import"; content:"signatureid|3d|"; pcre:"/^[^\x26]*(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.
Nuclei
Palo Alto Expedition - SQL Injection
nuclei·CVSS 9.2
CVE-2024-9465 [CRITICAL] Palo Alto Expedition - SQL Injection
Palo Alto Expedition - SQL Injection
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
Template:
id: CVE-2024-9465
info:
name: Palo Alto Expedition - SQL Injection
author: DhiyaneshDK
severity: high
description: |
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
impact: |
Unauthen
Bleepingcomputer
CISA warns of more Palo Alto Networks bugs exploited in attacks
blogs_bleepingcomputer·2024-11-14·CVSS 9.9
CVE-2024-9463 [CRITICAL] CISA warns of more Palo Alto Networks bugs exploited in attacks
## CISA warns of more Palo Alto Networks bugs exploited in attacks
## Sergiu Gatlan
CISA warned today that two more critical security vulnerabilities in Palo Alto Networks' Expedition migration tool are now actively exploited in the wild.
Attackers can use the two unauthenticated command injection ( CVE-2024-9463 ) and SQL injection ( CVE-2024-9465 ) vulnerabilities to hack into unpatched systems running the company's Expedition migration tool, which helps migrate configurations from Checkpoint, Cisco, and other supported vendors.
While CVE-2024-9463 allows attackers to run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, the second flaw can be exploited to access Expedition database contents (includ
Wiz
Crying Out Cloud - November 2024 Newsletter | Wiz
blogs_wiz·2024-11-01·CVSS 7.2
[HIGH] Crying Out Cloud - November 2024 Newsletter | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Supply Chain Attack on lottie-player
On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
Wiz
3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
blogs_wiz·2024-10-10·CVSS 9.9
CVE-2024-9463 [CRITICAL] 3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
## What are these vulnerabilities?
Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpo
Wiz
3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
blogs_wiz·2024-10-10·CVSS 9.9
CVE-2024-9463 [CRITICAL] 3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
# What are these vulnerabilities?
Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpoi
Bleepingcomputer
Palo Alto Networks warns of firewall hijack bugs with public exploit
blogs_bleepingcomputer·2024-10-09·CVSS 9.3
[CRITICAL] Palo Alto Networks warns of firewall hijack bugs with public exploit
## Palo Alto Networks warns of firewall hijack bugs with public exploit
## Sergiu Gatlan
Palo Alto Networks warned customers today to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls.
The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors.
They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.
"Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system," the company said in an advisory publishe
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-10-09
Published
2024-11-14
Added to CISA KEV
Exploited in the wild