U.S. CISA adds Palo Alto Expedition, Android, CyberPanel and Nostromo nhttpd bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Expedition, Android, CyberPanel and Nostromo nhttpd bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2024-43093 Android Framework Privilege Escalation Vulnerability
  • CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability
  • CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability
  • CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability

CVE-2024-43093 – this week, Google warned that the vulnerability CVE-2024-43093 in the Android OS is actively exploited in the wild. The vulnerability is a privilege escalation issue in the Android Framework component. Successful exploitation of the vulnerability could lead to unauthorized access to “Android/data,” “Android/obb,” and “Android/sandbox” directories and associated sub-directories.

Google as usual did not share details about the attacks exploiting the above vulnerability, however, it added that another issue, tracked as CVE-2024-43047, is actively exploited in the wild.

“There are indications that the following may be under limited, targeted exploitation.

  • CVE-2024-43093
  • CVE-2024-43047″ reads the security bulletin published by Google.

CVE-2024-51567 – is an incorrect default permissions vulnerability in CyberPanel (prior to patch 5b08cd6) that allows remote attackers to bypass authentication and execute arbitrary commands through /dataBases/upgrademysqlstatus by manipulating the statusfile property with shell metacharacters, bypassing secMiddleware. Versions up to 2.3.6 and unpatched 2.3.7 are affected, with active exploitation reported in October 2024 by PSAUX.

CVE-2019-16278 – is a directory traversal issue in the function http_verify in nostromo nhttpd through 1.9.6 that allows an attacker to achieve remote code execution via a crafted HTTP request.

CVE-2024-5910 – In July, Palo Alto Networks released security updates to address five security flaws impacting its products, the most severe issue, tracked as CVE-2024-5910 (CVSS score: 9.3), is a missing authentication for a critical function in Palo Alto Networks Expedition that can lead to an admin account takeover.

Palo Alto Networks Expedition is a tool designed to help users transition to and optimize Palo Alto Networks’ next-generation firewalls. It assists with the migration of configurations from other firewall vendors and legacy Palo Alto Networks devices to newer models. Additionally, Expedition provides automation and best practice adoption to improve security posture and operational efficiency.

“Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.” reads the advisory. “Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.”

The vulnerability affects Expedition versions before 1.2.92. The researcher Brian Hysell reported the flaw to the security vendor.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by November 28, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)