Palo Alto Networks has issued critical security updates in response to five vulnerabilities affecting its products, including a significant flaw that poses an authentication bypass risk. This vulnerability, identified as CVE-2024-5910, has been assigned a high CVSS score of 9.3 and pertains to a missing authentication issue in the Expedition migration tool. The lack of proper authentication could potentially allow attackers with network access to take over an admin account, jeopardizing configuration secrets, credentials, and various data imported into the tool.
The company emphasized the severity of the vulnerability, advising that all versions of Expedition prior to 1.2.92 are at risk, with the update rectifying the defect. The identification and reporting of this issue are attributed to Brian Hysell from the Synopsys Cybersecurity Research Center (CyRC). While there have been no reported incidents of exploitation in the wild, Palo Alto Networks recommends that users update to the latest version as a precaution against possible threats. The firm also suggests limiting network access to the Expedition tool exclusively to authorized users, hosts, or networks.
In addition to the Expedition flaw, Palo Alto Networks has addressed another recently disclosed vulnerability related to the RADIUS protocol, known as BlastRADIUS (CVE-2024-3596). This vulnerability permits attackers capable of executing adversary-in-the-middle (AitM) attacks to bypass authentication between Palo Alto Networks PAN-OS firewalls and RADIUS servers. The threat allows the escalation of privileges to “superuser” level, exploiting RADIUS authentication when either CHAP or PAP is configured in the RADIUS server profile.
The flaws affect several PAN-OS versions: 11.1 (versions below 11.1.3), 11.0 (versions below 11.0.4-h4), 10.2 (versions below 10.2.10), 10.1 (versions below 10.1.14), and 9.1 (versions below 9.1.19). Prisma Access is also impacted across all versions, with a fix expected to be available on July 30. Security experts advise against using CHAP or PAP unless they are secured within an encrypted tunnel since these protocols do not provide Transport Layer Security (TLS). They remain secure only when implemented alongside a TLS tunnel.
Moreover, PAN-OS firewalls configured to utilize EAP-TTLS with PAP as the RADIUS server authentication protocol are not vulnerable to the aforementioned attacks. The nature of these newly disclosed vulnerabilities indicates potential adversary tactics from the MITRE ATT&CK framework, including initial access through network exploitation and privilege escalation utilizing authentication misconfigurations.
Cybersecurity stakeholders are called to prioritize system updates and implement stringent access controls as part of their security protocol. Enhancing awareness of these vulnerabilities and their implications will be crucial for maintaining robust cybersecurity defenses in an increasingly complex threat landscape.
