Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2024-5910

Disclosure Date: July 10, 2024
Exploited in the Wild
Reported by AttackerKB Worker and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.

Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.

Add Assessment

3
Ratings
Technical Analysis

Note: While this is a “just” password reset attack, there are authenticated vulnerabilities in the same product versions, including CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466 that are available after the password is reset.
This is a vulnerability in the password reset of the Palo Alto Expedition web server, and is disturbingly simple. The password reset script is located in the /var/www/html directory, so it can be launched with the command curl -k 'https://<host>/OS/startup/restore/restoreAdmin.php'
That resets the admin password to the default paloalto
It is important to know this vulnerability can be paired with CVE-2024-9464, an authenticated command-injection vulnerability in Palo Alto Expedition. Attackers can reset the password using CVE-20245910, then use the credentials to exploit CVE-2024-9464.

This affects Expedition versions 1.2 up to 1.2.92; 1.2.92 is patched.
There ill be an obvious indications of compromise in that the admin password is changed.
Non-patching mitigations are unfortunately slim and rely on limiting access to trusted people, but that may not be an option in most cases. Setting up network based rules to prevent the request would likely work, but probably be as difficult and less reliable than patching to an unaffected version.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • paloaltonetworks

Products

  • expedition

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis