Moderate
CVE-2024-5910
CVE-2024-5910
Description
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
Add Assessment
Technical Analysis
Note: While this is a “just” password reset attack, there are authenticated vulnerabilities in the same product versions, including CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466 that are available after the password is reset.
This is a vulnerability in the password reset of the Palo Alto Expedition web server, and is disturbingly simple. The password reset script is located in the /var/www/html directory, so it can be launched with the command curl -k 'https://<host>/OS/startup/restore/restoreAdmin.php'
That resets the admin password to the default paloalto
It is important to know this vulnerability can be paired with CVE-2024-9464, an authenticated command-injection vulnerability in Palo Alto Expedition. Attackers can reset the password using CVE-20245910, then use the credentials to exploit CVE-2024-9464.
This affects Expedition versions 1.2 up to 1.2.92; 1.2.92 is patched.
There ill be an obvious indications of compromise in that the admin password is changed.
Non-patching mitigations are unfortunately slim and rely on limiting access to trusted people, but that may not be an option in most cases. Setting up network based rules to prevent the request would likely work, but probably be as difficult and less reliable than patching to an unaffected version.
CVSS V3 Severity and Metrics
General Information
Vendors
- paloaltonetworks
Products
- expedition
Metasploit Modules
Exploited in the Wild
