On July 10th, 2024, Palo Alto Networks released critical security updates addressing several vulnerabilities, including a high-severity flaw in the Expedition migration tool (CVE-2024-5910, CVSS score: 9.3). The vulnerability can lead to an Expedition admin account takeover for attackers with network access to Expedition.

This blog provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.

Description

The Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue. This vulnerability allows attackers with network access to take over admin accounts.

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.

Severity and Impact

As of now, the Severity is rated: Critical 9.3 although Palo Alto Networks is not aware of any malicious exploitation of this issue. However, it is still important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact.

Step 1: Determine if you are at risk

Affected versions of Expedition < 1.2.92
Unaffected versions of Expedition >= 1.2.92
Determine if your third parties are using any affected versions of Expedition and assess any associated risk by sending the Palo Alto Expedition Vulnerability Response Questionnaire. You can access it in the Whistic platform under our Questionnaire Standards Library by clicking here.

Step 2: Take action

Ensure network access to Expedition is restricted to authorized users, hosts, or networks.
Upgrade to unaffected versions of Expedition. This issue is fixed in Expedition 1.2.92 and all later versions.
Follow up with impacted third parties and ensure remediation.

Does this affect Whistic?

As a result of our investigation, we have determined that this situation does not directly impact Whistic. Whistic does not use Expedition products, and we haven't identified any of our third parties that use Expedition products. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.