Attacker Value
Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2024-9464

Disclosure Date: October 09, 2024
CVE-2024-9464 CVSS v3 Base Score: 6.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated

Description

An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Add Assessment

3
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Easy to weaponizeVulnerable in default configurationAuthenticated
Technical Analysis

Note: While this is an authenticated exploit, CVE-2024-5910 affects the same versions and allows an attacker to reset the admin password to allow authentication.
This vulnerability allows attackers to execute commands on a Palo Alto Expedition web server. The vulnerability is the result of poor sanitization of the start_time parameter when creating a cron_job. By appending a semicolon to the start_time parameter in the web request, a user can then add a command to be executed as www-data.
The attack is somewhat limited by the size of the command, but at ~90 bytes, it is still plenty to use for an attack, especially since the attack is repeatable.
Mitigations:
Given that this appears paired with other exploits (see https://www.horizon3.ai/attack-research/disclosures/palo-alto-expedition-from-n-day-to-full-compromise), patching everything is strongly recommended.
It is possible to limit access through firewall settings and NIDS, but both of those would take far longer and be more difficult than simply patching the affected systems.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Expedition not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • paloaltonetworks

Products

  • expedition

References

Canonical
CVE-2024-9464 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9464)
Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
CVE-2024-9464 (https://github.com/horizon3ai/CVE-2024-9464) (Added by AKB Worker)
Miscellaneous
https://security.paloaltonetworks.com/PAN-SA-2024-0010
https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis