CVE-2024-9466 - Palo Alto Networks Expedition Exposes Firewall Credentials in Cleartext

In early 2024, a significant vulnerability, CVE-2024-9466, was reported in Palo Alto Networks' Expedition tool. Expedition helps admins migrate and optimize firewall and security policies, easing the migration between legacy devices and Palo Alto firewalls. Unfortunately, this vulnerability allows authenticated attackers to view firewall usernames, passwords, and API keys in cleartext. Here, we’ll break down how the flaw occurs, show relevant code examples, and provide links for further reading.

What Is CVE-2024-9466?

CVE-2024-9466 is a "cleartext storage of sensitive information" issue in *Expedition*. Instead of securely encrypting sensitive values, the software stores and displays them in plain sight. That means anyone with legitimate access to the Expedition UI or filesystem can read firewall login credentials and API tokens without needing to crack or decrypt anything.

How Does The Exploit Work?

An attacker first needs a login to Expedition (even a basic user account). Once authenticated, they can:

Example 1: Database Leak

Expedition uses a MySQL database to store device connection info. Sensitive fields, such as user and password, are stored in cleartext.

Example table structure (found in devices table):

CREATE TABLE devices (
  ...
  hostname varchar(256) NOT NULL,
  user varchar(64) NOT NULL,
  password varchar(64) NOT NULL,
  ...
);

Typical dump (sanitized)

INSERT INTO devices (hostname, user, password, api_key)
VALUES ('firewall1.lab.local', 'admin', 'SuperSecretPassword123', 'PANWAPIKEYXYZ');

Anyone with database read access sees everything. No hashing, salting, or encryption!

Example 2: Plaintext in Configuration Files

When exporting projects, Expedition creates XML, JSON, or CSV files with all currently stored credentials.

Example export file

<device>
  <name>firewall1.lab.local</name>
  <username>admin</username>
  <password>SuperSecretPassword123</password>
  <api_key>PANWAPIKEYXYZ</api_key>
</device>

If the admin shares the exported project or backs it up insecurely, an attacker can harvest credentials.

Example 3: Web UI Exposure

Within the Expedition Web UI, the firewall device settings page may display stored usernames and (sometimes) masks passwords, but with inspector tools or page source view, the real data might be exposed.

Sample HTML snippet

<input type="text" name="username" value="admin">
<input type="password" name="password" value="SuperSecretPassword123">

Changing type="password" to type="text" reveals the password.

Access to exported files or database increases risk

Note: This is not a remote, unauthenticated exploit. It requires a valid Expedition account but can be devastating in environments where these credentials match production firewalls.

Audit exports and backups for cleartext credentials.

- Upgrade immediately: Watch for vendor patches and follow official Palo Alto Networks Security Advisories.

Further Reading

- Original CVE Record — CVE-2024-9466
- Palo Alto Networks Security Advisory (CVE-2024-9466)
- Expedition GitHub Repo

Conclusion

CVE-2024-9466 shows how convenient tools can become security liabilities if they mishandle sensitive information. If you use Expedition, treat it as a high-value security target. Audit your data stores, restrict access, and apply vendor updates as soon as they're available.

Never assume anything stored in Expedition is safe unless you verify encryption and access controls. Don’t wait until credentials walk out the door—patch, audit, and educate your team now!

Timeline

Published on: 10/09/2024 17:15:20 UTC
Last modified on: 10/18/2024 11:51:31 UTC