9.8 CVE-2024-5910
CISA Kev Catalog CSRF Exploit
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
https://nvd.nist.gov/vuln/detail/CVE-2024-5910
Categories
CWE-306 : Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302]. Chain: a digital asset management program has an undisclosed backdoor in the legacy version of a PHP script (CWE-912) that could allow an unauthenticated user to export metadata (CWE-306) TCP-based protocol in Programmable Logic Controller (PLC) has no authentication. Condition Monitor firmware uses a protocol that does not require authentication. SCADA-based protocol for bridging WAN and LAN traffic has no authentication. Safety Instrumented System uses proprietary TCP protocols with no authentication. Distributed Control System (DCS) uses a protocol that has no authentication. Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access WiFi router does not require authentication for its UART port, allowing adversaries with physical access to execute commands as root IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV. Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV. MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information. Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter" attack. Product enforces restrictions through a GUI but not through privileged APIs. monitor device allows access to physical UART debug port without authentication Programmable Logic Controller (PLC) does not have an authentication feature on its communication protocols.
References
af854a3a-2127-422b-91ae-364da2661108 Exploit
https://security.paloaltonetworks.com/CVE-2024-5910 Vendor Advisory |
https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-fu... Exploit Third Party Advisory |
psirt@paloaltonetworks.com Exploit
https://security.paloaltonetworks.com/CVE-2024-5910 Vendor Advisory |
CPE
cpe | start | end |
---|---|---|
Configuration 1 | ||
cpe:2.3:a:paloaltonetworks:expedition:*:*:*:*:*:*:*:* | >= 1.2.0 | < 1.2.92 |
REMEDIATION
EXPLOITS
Exploit-db.com
id | description | date | |
---|---|---|---|
No known exploits |
POC Github
Url |
---|
https://github.com/Farzan-Kh/CVE-2024-5910 |
Other Nist (github, ...)
Url |
---|
https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-fu... |
CAPEC
Common Attack Pattern Enumerations and Classifications
id | description | severity |
---|---|---|
12 | Choosing Message Identifier |
High |
166 | Force the System to Reset Values |
Medium |
216 | Communication Channel Manipulation |
|
36 | Using Unpublished Interfaces or Functionality |
High |
62 | Cross Site Request Forgery |
Very High |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.