Skip to content
A critical security bug in Palo Alto Networks’ Cortex XSOAR could allow remote attackers to run commands & automations in the Cortex XSOAR War Room, & to take other actions on the platform, without having to log in.
Remote, unauthenticated cyber-attackers can infiltrate & take over the Cortex XSOAR platform, which underpins unified threat intelligence & incident responses.
Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorisation vulnerability that “enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorised actions through the REST API,” according to the security vendor’s Tues. advisory. It rates 9.8 out of 10 on the CVSS vulnerability-severity scale.
Cortex XSOAR Bug
Cortex XSOAR is a cyber-security defence platform used in a variety of use cases, including security operations automation, threat-intelligence management, automated ransomware remediation & cloud-security orchestration, according to Palo Alto’s website.
SOAR stands for “security orchestration, automation & response,” & in Palo Alto’s case the term is used to mean taking a unified approach to centralising threat intelligence & security alerts across sources. The Cortex platform also implements automated workflows & response playbooks & allows real-time collaboration between teams.
It is the centre of a company’s security response.
War Room
If remote attackers can run commands & automations in the War Room, they can potentially subvert ongoing security investigations, steal information about a victim’s cyber-defence action plans & more. According to Palo Alto’s online documentation, real-time investigations are facilitated through the War Room, which allows analysts (& on vulnerable systems, remote attackers) to do the following:
- Run real-time security actions through the command-line interface, without switching consoles.
- Run security playbooks, scripts & commands.
- Collaborate & execute remote actions across integrated products.
- Capture incident context from different sources.
- Document all actions in 1 source.
- Converse with others for joint investigations.
Documentation
“When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc.,” the documentation reads.
A mitigating factor however is the fact that an adversary, as mentioned, would need to have access to the same network that the Cortex XSOAR is attached to, requiring an earlier compromise or exploit.
Affected Versions & Patches
The issue impacts only Cortex XSOAR configurations with active API key integrations, & specifically the following versions: Cortex XSOAR 6.1.0 builds later than 1016923 & earlier than 1271064; & Cortex XSOAR 6.2.0 builds earlier than 1271065.
To protect themselves, users should update to the latest version & must revoke all active integration API keys to fully mitigate the impact of the issue, the vendor noted. Users can create new API keys after the upgrade is completed.
Palo Alto said that it is unaware of any exploitation of the bug in the wild.
https://www.cybernewsgroup.co.uk/virtual-conference-july-2021/
