==================================================================== CERT-Renater Note d'Information No. 2021/VULN337 _____________________________________________________________________ DATE : 23/06/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cortex XSOAR versions prior to 6.1.0 build 1271064, 6.2.0 build 1271065. ===================================================================== https://security.paloaltonetworks.com/CVE-2021-3044 _____________________________________________________________________ CVE-2021-3044 Cortex XSOAR: Unauthorized Usage of the REST API 047910 Severity 9.8 · CRITICAL Attack Vector NETWORK Attack Complexity LOW Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published 2021-06-22 Updated 2021-06-22 Reference Discovered internally Description An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances. Product Status Versions Affected Unaffected Cortex XSOAR 6.2.0 < 1271065 >= 1271065 Cortex XSOAR 6.1.0 >= 1016923 and < 1271064 < 1016923, >= 1271064 Cortex XSOAR 6.0.2 None all Cortex XSOAR 6.0.1 None all Cortex XSOAR 6.0.0 None all Cortex XSOAR 5.5.0 None all Required Configuration for Exposure This issue is applicable only to Cortex XSOAR configurations with active API key integrations. You can determine whether your configuration is impacted by selecting ‘Settings > Integration > API Keys’ from the Cortex XSOAR web client. Severity: CRITICAL CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability. Weakness Type CWE-285 Improper Authorization Solution This issue is fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later Cortex XSOAR versions. Workarounds and Mitigations You must revoke all active integration API keys to fully mitigate the impact of this issue. To revoke integration API keys from the Cortex XSOAR web client: Settings > Integration > API Keys and then Revoke each API key. You can create new API keys after you upgrade Cortex XSOAR to a fixed version. Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue. Acknowledgments This issue was found during internal security review. Frequently Asked Questions Q. Are there any indicators of compromise or breach related to this vulnerability? Cortex XSOAR Audit Trail will list all performed administrative actions. The presence of unexpected actions, new integrations, or additional users could indicate a breach. To view an audit trail, select Settings > Users and Roles > Audit Trail from the web client. NOTE: exploitation of this vulnerability can impact the integrity of audit trails, which means you cannot use an audit trail to conclusively determine that the Cortex XSOAR instance was not compromised. Q. Is this issue a remote code execution (RCE) vulnerability? This issue is not a remote code execution vulnerability. This issue enables an unauthorized attacker to perform actions on behalf of an active Cortex XSOAR integration, which includes running commands and automations in the Cortex XSOAR War Room. Q. Has this issue been exploited in the wild? No evidence of active exploitation was identified at the time this advisory was published. Q. What logs should I examine for clues of a compromise? You can examine the Cortex XSOR Audit Trails and the application server log (/var/log/demisto/server.log) for clues that indicate a compromise. Timeline 2021-06-22 Initial publication ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================