Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN028

_____________________________________________________________________

DATE                : 21/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Palo Alto Networks Expedition
                      migration tool versions prior to 1.2.101.

=====================================================================
https://security.paloaltonetworks.com/PAN-SA-2025-0001
_____________________________________________________________________

PAN-SA-2025-0001 Expedition: Multiple Vulnerabilities in Expedition
Migration Tool Lead to Exposure of Firewall Credentials

Urgency MODERATE

047910

Severity 7.8 ·    HIGH
Exploit Maturity  UNREPORTED
Response Effort   HIGH
Recovery          USER   
Value Density     CONCENTRATED
Attack Vector     NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable       NO
User Interaction  NONE
Product Confidentiality  HIGH
Product Integrity    LOW
Product Availability NONE
Privileges Required  NONE
Subsequent Confidentiality HIGH
Subsequent Integrity NONE
Subsequent Availability NONE
JSON CSAF
Published 2025-01-08
Updated 2025-01-15
Discovered externally


Description

Multiple vulnerabilities in the Palo Alto Networks Expedition migration
tool enable an attacker to read Expedition database contents and
arbitrary files, as well as create and delete arbitrary files on the
Expedition system. These files include information such as usernames,
cleartext passwords, device configurations, and device API keys for
firewalls running PAN-OS software.

Expedition, previously known as the Migration Tool, is a free tool that
facilitates migration to the Palo Alto Networks NGFW platform from
other firewall vendors and provides a temporary workspace for optimizing
Palo Alto Networks security policies. Expedition is designed to only be
used temporarily for migration purposes, not to be run in production.
You do not need it to operate any Palo Alto Networks products or
services. Expedition reached its End of Life (EoL) date on December 31,
2024. Please use the suggested alternatives listed in the Expedition
End of Life Announcement.

These issues do not otherwise impact firewalls, Panorama appliances,
Prisma Access deployments, or Cloud NGFWs.

CVE	CVSS	Summary

CVE-2025-0103	7.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:U)
An SQL injection vulnerability in Palo Alto Networks Expedition enables
an authenticated attacker to reveal Expedition database contents, such
as password hashes, usernames, device configurations, and device API
keys. This vulnerability also enables attackers to create and read
arbitrary files on the Expedition system.

CVE-2025-0104	4.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U)
A reflected cross-site scripting (XSS) vulnerability in Palo Alto
Networks Expedition enables attackers to execute malicious
JavaScript code in the context of an authenticated Expedition
user’s browser if that authenticated user clicks a malicious link
that allows phishing attacks and could lead to Expedition
browser-session theft.

CVE-2025-0105	2.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U)
An arbitrary file deletion vulnerability in Palo Alto Networks
Expedition enables an unauthenticated attacker to delete
arbitrary files accessible to the www-data user on the host
filesystem.

CVE-2025-0106	2.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U)
A wildcard expansion vulnerability in Palo Alto Networks
Expedition allows an unauthenticated attacker to enumerate
files on the host filesystem.

CVE-2025-0107	4.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:N/SA:N/E:U)
An OS command injection vulnerability in Palo Alto Networks
Expedition enables an unauthenticated attacker to run
arbitrary OS commands as the www-data user in Expedition,
which results in the disclosure of usernames, cleartext
passwords, device configurations, and device API keys for
firewalls running PAN-OS software.


Product Status

Versions	Affected	Unaffected
Cloud NGFW	None	All
Expedition 1	< 1.2.101	>= 1.2.101
Panorama	None	All
PAN-OS	None	All
Prisma Access	None	All


* Expedition reached its End of Life (EoL) date; no additional
updates or security fixes are planned.


Required Configuration for Exposure

No special configuration is required to be affected by these
issues.

Severity: HIGH, Suggested Urgency: MODERATE

CVE-2025-0103
CVSS-BT: 7.8 / CVSS-B: 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:H/U:Amber)

CVE-2025-0104
CVSS-BT: 4.7 / CVSS-B: 7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:H/U:Amber)

CVE-2025-0105
CVSS-BT: 2.7 / CVSS-B: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:H/U:Green)

CVE-2025-0106
CVSS-BT: 2.7 / CVSS-B: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:H/U:Green)

CVE-2025-0107
CVSS-BT: 4.4 / CVSS-B: 7.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:H/U:Green)


Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation
of these issues.


Weakness Type and Impact

CWE-89 Improper Neutralization of Special Elements used in
an SQL Command ('SQL Injection')

CWE-79 Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting')

CWE-73 External Control of File Name or Path

CWE-155 Improper Neutralization of Wildcards or Matching
Symbols

CWE-78 Improper Neutralization of Special Elements used in
an OS Command ('OS Command Injection')

CAPEC-66 SQL Injection

CAPEC-63 Cross-Site Scripting (XSS)

CAPEC-165 File Manipulation

CAPEC-127 Directory Indexing

CAPEC-88 OS Command Injection


Solution

The following CVEs are fixed in the specified Expedition
version and all later versions* of Expedition.

CVE	Expedition

CVE-2025-0103 	Expedition 1.2.100
CVE-2025-0104
	Expedition 1.2.100
CVE-2025-0105
	Expedition 1.2.101
CVE-2025-0106
	Expedition 1.2.101
CVE-2025-0107
	Expedition 1.2.100

* Expedition reached its End of Life (EoL) date and is no
longer supported. We added these fixes prior to the EoL
date and we do not plan to make any additional updates or
security fixes. Please use the suggested alternatives
listed in the Expedition End of Life Announcement.


Workarounds and Mitigations

Ensure that all network access to Expedition is restricted
to only authorized users, hosts, and networks. If you are
not actively using Expedition, make sure that your Expedition
software is shut down.


Acknowledgments
Palo Alto Networks thanks an independent security researcher
working with SSD Secure Disclosure for discovering and
reporting CVE-2025-0107. Palo Alto Networks thanks Mesut
Cetin of RedTeamer IT Security for discovering and reporting
CVE-2025-0103 and CVE-2025-0104. Palo Alto Networks thanks
Advanced Research Team, CrowdStrike for discovering and
reporting CVE-2025-0104, CVE-2025-0105, CVE-2025-0106,
and CVE-2025-0107.


Timeline
2025-01-15
Updated CVSS Score for CVE-2025-0107

2025-01-08
Initial publication

	
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================