In July 2024, a critical vulnerability, CVE-2024-5910, was identified in Palo Alto Networks’ Expedition tool.

This vulnerability, which scores a 9.3 on the CVSS 3.0 scale, exposes Expedition to a significant risk of admin account takeover by unauthorised parties with network access to the tool. As organisations increasingly rely on automation tools like Expedition for configuration migration, tuning, and enrichment, this security flaw is one that affected users cannot afford to overlook.

Here’s a deep dive into the CVE-2024-5910 vulnerability, its implications, and what steps organisations should take to secure their systems.

CVE-2024-5910 Vulnerability Overview

CVE: CVE-2024-5910

CVSS Score: 9.3 (Critical)

CWE Reference: CWE-306 (Missing Authentication for Critical Function)

Expedition is a migration and optimisation tool that helps administrators configure Palo Alto Networks firewalls, import configurations, and tune security policies. However, CVE-2024-5910 exposes this tool to significant risk by lacking proper authentication for critical administrative functions. This missing authentication can allow malicious actors with network access to Expedition to gain administrative control, putting sensitive data and configuration secrets at risk.

Impact and Exploitation Risks

Palo Alto Networks has acknowledged that this vulnerability could allow unauthorised parties to take over admin accounts if they have network access to the Expedition tool. This access could lead to:

• Exposure of sensitive configuration data: Including imported credentials, network secrets, and other confidential settings.
• Admin account compromise: Attackers gaining admin-level control over Expedition can potentially manipulate configurations, inject malicious rules, or even modify firewall settings, compromising the security posture of the organisation.
• Active Exploitation: The Cybersecurity and Infrastructure Security Agency (CISA) has reported that CVE-2024-5910 is actively being exploited in the wild, making immediate action even more critical.

This vulnerability is particularly concerning because attackers exploiting this flaw can leverage their access to pivot into other parts of the network. Known ransomware operators are already using vulnerabilities in widely deployed tools like Expedition to launch attacks on organisations.

Technical Details: Missing Authentication for Critical Function

CVE-2024-5910 is associated with CWE-306: Missing Authentication for Critical Function. This category indicates that Expedition fails to verify the identity of users attempting to perform administrative functions, allowing attackers with network access to bypass restrictions meant to limit access to critical functionality. Without proper authentication, Expedition effectively opens up its administrative backend, leaving sensitive configurations vulnerable to unauthorised access and potential modification.

Products Affected

The products affected by this vulnerability include the Palo Alto Networks Expedition: Versions prior to 1.2.92.

Any organisations running Expedition versions older than 1.2.92 should take immediate action to mitigate this vulnerability by updating to the latest version, as it contains security patches addressing the flaw.

Mitigation Steps

Palo Alto Networks has provided a patch (version 1.2.92) that addresses this vulnerability. However, for organisations unable to update immediately or looking to bolster their defenses further, several mitigation steps can reduce the likelihood of exploitation:

1. Restrict Network Access

Ensure that network access to Expedition is limited strictly to authorised users, hosts, or networks. This can be achieved through firewall rules, VPN access, or network segmentation, ensuring that only trusted devices can communicate with Expedition.

2. Apply Security Updates

The most effective way to address this vulnerability is to update Expedition to version 1.2.92 or later. This update includes critical fixes that add authentication for the affected functions, safeguarding the tool from unauthorised access.

3. Implement Strong Network Segmentation

Isolating sensitive systems, such as Expedition, from other parts of the network can prevent attackers from easily moving laterally. If the Expedition server is compromised, network segmentation limits the impact, preventing unauthorised access to other systems.

4. Review Access Control Policies Regularly

Regularly reviewing and tightening access control policies ensures that only authorised personnel have access to Expedition’s administrative functions. Implement role-based access control (RBAC) to limit admin privileges to essential users only.

5. Enable Logging and Monitoring

Monitoring Expedition and other critical systems can help detect suspicious activity early. Set up alerts for unauthorised access attempts, abnormal configurations, or login attempts from unusual IP addresses.

6. Conduct Security Awareness Training

Ensuring that IT staff and admins are aware of the vulnerability can significantly reduce risks. By training them to recognise signs of exploitation or unauthorised access, teams can act faster to prevent further compromise.

With CVE-2024-5910 already being actively exploited in the wild, it’s essential for organisations using Palo Alto Networks’ Expedition tool to prioritise remediation efforts. By updating to the latest version and implementing additional safeguards, businesses can protect their configurations, credentials, and network from unauthorised access.

For the latest information on CVE-2024-5910, including update releases and specific mitigation techniques, please refer to the official Palo Alto Networks advisory here.

For tailored solutions to safeguard your business from cybersecurity threats, contact our team today .

Fill out the form below to get started, and let our experts help you enhance your cybersecurity posture. 👇