Palo Alto Networks warns of firewall hijack bugs with public exploit

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Palo Alto Networks warns of firewall hijack bugs with public exploit

Information:

Palo Alto Networks is a leading cybersecurity company known for providing next-generation firewall solutions, cloud security, and various other advanced security technologies.

Incident:

Palo Alto Networks warned customers today to patch security vulnerabilities that can be chained to let attackers hijack PAN-OS firewalls.

The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors. They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.

Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system

Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

These bugs are a combination of command injection, reflected cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities:

CVE-2024-9463 (unauthenticated command injection vulnerability)

CVE-2024-9464 (authenticated command injection vulnerability)

CVE-2024-9465 (unauthenticated SQL injection vulnerability)

CVE-2024-9466 (cleartext credentials stored in logs)

CVE-2024-9467 (unauthenticated reflected XSS vulnerability)

Recommendation:

Update Expedition 1.2.96, and all later Expedition versions.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

References:

-https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-firewall-hijack-bugs-with-public-exploit/

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2024-38812	17/9/2024	2/10/2024	vCenter Server 7.0,8.0 VMware Cloud Foundation Version 4.x,5.x	Heap-overflow	9.8	The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.	no workarounds	https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
2	CVE-2024-20432	2/10/2024	4/10/2024	Cisco Nexus Dashboard Fabric Controller (NDFC)	Command injection	8.6	A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device.	no workarounds	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-cmdinj-UvYZrKfr
3	CVE-2024-8686	11/9/2024	3/10/2024	Palo Alto Networks PAN-OS 11.2.2	Command Injection	8.6	A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as root on the firewall.	Update fixed in PAN-OS 11.2.3 and all later	https://app.opencve.io/cve/CVE-2024-8686
4	CVE-2024-1066	7/2/2024	3/10/2024	Gitlab Versions from 13.3.0 to 16.6.6, 16.7 to 16.7.4 and 16.8 to 16.8.1	Denial of Service (DoS)	6.5	An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay`	Update to 16.6.7 for the 16.6 series Update to 16.7.5 for the 16.7 series Update to 16.8.2 for the 16.8 series	https://app.opencve.io/cve/CVE-2024-1066
5	CVE-2024-46486	2024-10-04	2024-10-04	TP-LINK TL TL-WDR5620 v2.3	remote code execution (RCE)	8.0	TP-LINK TL-WDR5620 v2.3 was discovered to contain a remote code execution (RCE) vulnerability via the httpProcDataSrv function.	no workarounds	https://app.opencve.io/cve/CVE-2024-46486

Malware News or Campaign IOC/IOA | EN

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	Kansas’ City of Arkansas Water Treatment Facility Hit by a Suspected Ransomware Cyber Attack	3/10/2024	ransomware	On September 22, 2024, a cyberattack targeted the water treatment system of Arkansas City in Kansas, and it is suspected to be a ransomware attack. This incident led to disruptions in the city’s water system, which significantly affected its ability to deliver essential services and manage the security of the water supply provided to its residents. City authorities are collaborating with law enforcement agencies and cybersecurity organizations to thoroughly investigate the incident and assess the extent of the damage caused.At present, no clear information has been made available regarding the attackers or the motivation behind this cyberattack.	Implement Multi-Factor Authentication (MFA) to strengthen security measures when accessing critical systems Regularly perform data backups for essential information and conduct routine tests of recovery processes to ensure that data can be restored in the event of a cyberattack. Conduct cybersecurity training for employees to ensure they are equipped with the knowledge to identify and respond to threats, such as phishing emails, effectively.

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

Kansas’ City of Arkansas Water Treatment Facility Hit by a Suspected Ransomware Cyber Attack

3/10/2024

ransomware

On September 22, 2024, a cyberattack targeted the water treatment system of Arkansas City in Kansas, and it is suspected to be a ransomware attack. This incident led to disruptions in the city’s water system, which significantly affected its ability to deliver essential services and manage the security of the water supply provided to its residents. City authorities are collaborating with law enforcement agencies and cybersecurity organizations to thoroughly investigate the incident and assess the extent of the damage caused.At present, no clear information has been made available regarding the attackers or the motivation behind this cyberattack.

Implement Multi-Factor Authentication (MFA) to strengthen security measures when accessing critical systems
Regularly perform data backups for essential information and conduct routine tests of recovery processes to ensure that data can be restored in the event of a cyberattack.
Conduct cybersecurity training for employees to ensure they are equipped with the knowledge to identify and respond to threats, such as phishing emails, effectively.

Ref: https://www.cpomagazine.com/cyber-security/kansas-city-of-arkansas-water-treatment-facility-hit-by-a-suspected-ransomware-cyber-attack/

22 October 2024

Viewed 96 time

Palo Alto Networks warns of firewall hijack bugs with public exploit

Palo Alto Networks warns of firewall hijack bugs with public exploit

INET MANAGED SERVICES CO., LTD.

Sales Department