CVE-2024-5910 is a critical vulnerability in Palo Alto Networks' Expedition tool, widely used for firewall configuration migrations. 

The flaw, stemming from missing authentication for a critical function, allows attackers with network access to the Expedition interface to gain administrative privileges without authorization.

This issue (which has a CVSS score of 9.3!) represents a significant security risk, particularly for organizations using Expedition to manage sensitive configuration data.

What is Expedition?

Expedition simplifies the migration of firewall configurations from third-party systems to Palo Alto Networks devices. This process often involves importing sensitive credentials, secrets, and configurations, making the tool's security paramount.

Exploit details

The vulnerability could be exploited by sending crafted requests to reset the administrator password, granting attackers access to the system. Once inside, malicious actors could extract sensitive information, tamper with configurations, or launch further attacks against connected systems.

Public proof of concept (PoC) code for exploiting this vulnerability is now available, increasing the urgency of mitigation measures.

Which systems are affected?

This vulnerability affects Expedition versions before 1.2.92, as detailed in the advisory from Palo Alto Networks. Systems that expose Expedition to the internet are at heightened risk, with recent scans identifying several instances accessible online.

Mitigation steps

1. Update Expedition: Upgrade to version 1.2.92 or later, where the vulnerability has been patched.
2. Restrict access: Ensure that network access to the Expedition tool is limited to trusted hosts and users. There’s no valid reason for the tool to be accessible from untrusted networks.
3. Change credentials: Rotate all administrator passwords, API keys, and firewall credentials processed through Expedition to mitigate potential compromises.
4. Monitor for indicators of compromise (IoCs): Look for unusual activities in logs or changes to configurations, which may indicate exploitation.

Recommended content

To learn more about this vulnerability by interacting with it in a sandboxed environment, we have both offensive and a defensive labs in the platform.

The offensive scenario allows you to perform the exploitation using the PoC, whereas our defensive scenario upskills users by describing how to identify the IoCs – giving participants a deep understanding of how the exploit would appear in their environment.

To find these labs and others, simply type the relevant CVE number into the Immersive Labs Search Bar.

Final thoughts

CVE-2024-5910 underscores the importance of promptly addressing vulnerabilities in tools that manage critical infrastructure configurations. 

Organizations should also stay on top of new and emerging threats, patch affected systems immediately, and follow best practices for securing administrative tools like Expedition.

Using the Immersive Labs platform, organizations can gain a deep understanding of the most critical vulnerabilities and exploits and prepare for them in a practical and safe setting.

For more details from the affected vendor, refer to the official Palo Alto Networks security advisory.