Critical Security Flaws in Palo Alto NetworkUpdate Now to Safeguard Your Systems
Greater New York Dental Meeting
-
December 1, 2024
-
429 11th Ave, New York, NY 10001
Palo Alto Networks has recently addressed five significant security vulnerabilities impacting its products, including a critical flaw that could enable an authentication bypass. This article delves into the specifics of these vulnerabilities, their potential risks and the steps users should take to secure their systems.
CVE-2024-5910: Critical Authentication Bypass Vulnerability
One of the most concerning vulnerabilities, cataloged as CVE-2024-5910, carries a CVSS score of 9.3. Specifically, this flaw results from missing authentication in Palo Alto Networks’ Expedition migration tool, potentially allowing an attacker with network access to take over an admin account.
Details of the Vulnerability
According to Palo Alto Networks, “Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.” Therefore, configuration secrets, credentials, and other sensitive data imported into Expedition are at significant risk.
Impacted Versions and Remediation
Importantly, this vulnerability affects all versions of Expedition before 1.2.92. Users are strongly advised to update to version 1.2.92 or later to mitigate the risk. Brian Hysell of Synopsys Cybersecurity Research Center (CyRC) discovered and reported the flaw.
No Known Exploits in the Wild
While there is currently no evidence that this vulnerability has been exploited in the wild, it is crucial for users to update their systems to the latest version to prevent potential threats. Additionally, Palo Alto Networks recommends restricting network access to Expedition to authorized users, hosts, or networks as a temporary workaround.
CVE-2024-3596: BlastRADIUS Vulnerability in RADIUS Protocol
Another notable vulnerability, CVE-2024-3596, also known as BlastRADIUS, impacts the RADIUS protocol used in conjunction with Palo Alto Networks PAN-OS firewalls. Consequently, this flaw could allow an attacker to perform an adversary-in-the-middle (AitM) attack, bypassing authentication, and escalating privileges to a ‘superuser.’
Affected Products and Versions
The following products are affected by this vulnerability:
- PAN-OS 11.1 (versions < 11.1.3, fixed in >= 11.1.3)
- PAN-OS 11.0 (versions < 11.0.4-h4, fixed in >= 11.0.4-h4)
- PAN-OS 10.2 (versions < 10.2.10, fixed in >= 10.2.10)
- PAN-OS 10.1 (versions < 10.1.14, fixed in >= 10.1.14)
- PAN-OS 9.1 (versions < 9.1.19, fixed in >= 9.1.19)
- Prisma Access (all versions, with a fix expected to be released on July 30)
Security Recommendations
Palo Alto Networks advises against using CHAP or PAP unless they are encapsulated by an encrypted tunnel, as these protocols do not provide Transport Layer Security (TLS). Notably, PAN-OS firewalls configured to use EAP-TTLS with PAP for RADIUS server authentication are not vulnerable to this attack.
Conclusion
The discovery of these critical vulnerabilities highlights the importance of maintaining up-to-date software and implementing robust security practices. Users of Palo Alto Networks products should promptly apply the recommended updates and follow the provided security guidelines to protect their systems from potential exploits. Stay vigilant and ensure your network’s integrity by keeping abreast of the latest security updates.
For further details and updates, visit Palo Alto Networks’ official advisory.
Key Takeaways
- Critical Vulnerability in Expedition Tool:
CVE-2024-5910 is a severe vulnerability (CVSS score: 9.3) in Palo Alto Networks’ Expedition migration tool, which can lead to admin account takeover if not addressed.
- Affected Versions and Urgent Updates:
All versions of Expedition prior to 1.2.92 are affected. Users must update to version 1.2.92 or later to mitigate the risk.
- BlastRADIUS Vulnerability in RADIUS Protocol:
CVE-2024-3596, or BlastRADIUS, can allow adversary-in-the-middle attacks, enabling attackers to escalate privileges to ‘superuser’ in affected PAN-OS versions and Prisma Access. - Recommended Security Measures:
Users should update the latest versions of affected products and restrict network access to Expedition. Avoid using CHAP or PAP unless encapsulated by an encrypted tunnel, and prefer EAP-TTLS with PAP for RADIUS server authentication to prevent vulnerability exploits.