Palo Alto Networks has launched security updates to handle 5 security flaws impacting its merchandise, together with a essential bug that might result in an authentication bypass.
Cataloged as CVE-2024-5910 (CVSS rating: 9.3), the vulnerability has been described as a case of lacking authentication in its Expedition migration instrument that might result in an admin account takeover.
“Lacking authentication for a essential operate in Palo Alto Networks Expedition can result in an Expedition admin account takeover for attackers with community entry to Expedition,” the corporate mentioned in an advisory. “Configuration secrets and techniques, credentials, and different knowledge imported into Expedition is in danger because of this difficulty.”
The flaw impacts all variations of Expedition previous to model 1.2.92, which remediates the issue. Synopsys Cybersecurity Analysis Heart’s (CyRC) Brian Hysell has been credited with discovering and reporting the problem.
Whereas there isn’t a proof that the vulnerability has been exploited within the wild, customers are suggested to replace to the newest model to safe in opposition to potential threats.
As workarounds, Palo Alto Networks is recommending that community entry to Expedition is restricted to licensed customers, hosts, or networks.
Additionally mounted by the American cybersecurity agency is a newly disclosed flaw within the RADIUS protocol referred to as BlastRADIUS (CVE-2024-3596) that might permit a foul actor with capabilities to carry out an adversary-in-the-middle (AitM) assault between Palo Alto Networks PAN-OS firewall and a RADIUS server to sidestep authentication.
The vulnerability then permits the attacker to “escalate privileges to ‘superuser’ when RADIUS authentication is in use and both CHAP or PAP is chosen within the RADIUS server profile,” it mentioned.
The next merchandise are affected by the shortcomings:
- PAN-OS 11.1 (variations < 11.1.3, mounted in >= 11.1.3)
- PAN-OS 11.0 (variations < 11.0.4-h4, mounted in >= 11.0.4-h4)
- PAN-OS 10.2 (variations < 10.2.10, mounted in >= 10.2.10)
- PAN-OS 10.1 (variations < 10.1.14, mounted in >= 10.1.14)
- PAN-OS 9.1 (variations < 9.1.19, mounted in >= 9.1.19)
- Prisma Entry (all variations, repair anticipated to be launched on July 30)
It additionally famous that neither CHAP nor PAP must be used except they’re encapsulated by an encrypted tunnel for the reason that authentication protocols don’t provide Transport Layer Safety (TLS). They aren’t weak in circumstances the place they’re used along with a TLS tunnel.
Nonetheless, it is price noting that PAN-OS firewalls configured to make use of EAP-TTLS with PAP because the authentication protocol for a RADIUS server are additionally not prone to the assault.
