9.8 CVE-2024-5910

CISA Kev Catalog CSRF Exploit
 

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
https://nvd.nist.gov/vuln/detail/CVE-2024-5910

Categories

CWE-306 : Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302]. Chain: a digital asset management program has an undisclosed backdoor in the legacy version of a PHP script (CWE-912) that could allow an unauthenticated user to export metadata (CWE-306) TCP-based protocol in Programmable Logic Controller (PLC) has no authentication. Condition Monitor firmware uses a protocol that does not require authentication. SCADA-based protocol for bridging WAN and LAN traffic has no authentication. Safety Instrumented System uses proprietary TCP protocols with no authentication. Distributed Control System (DCS) uses a protocol that has no authentication. Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access WiFi router does not require authentication for its UART port, allowing adversaries with physical access to execute commands as root IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV. Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV. MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information. Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter" attack. Product enforces restrictions through a GUI but not through privileged APIs. monitor device allows access to physical UART debug port without authentication Programmable Logic Controller (PLC) does not have an authentication feature on its communication protocols.

References

af854a3a-2127-422b-91ae-364da2661108 Exploit

psirt@paloaltonetworks.com Exploit


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:paloaltonetworks:expedition:*:*:*:*:*:*:*:* >= 1.2.0 < 1.2.92


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
https://github.com/Farzan-Kh/CVE-2024-5910

Other Nist (github, ...)

Url
https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-fu...


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
12 Choosing Message Identifier
High
166 Force the System to Reset Values
Medium
216 Communication Channel Manipulation
36 Using Unpublished Interfaces or Functionality
High
62 Cross Site Request Forgery
Very High