=================================================================== CERT-Renater Note d'Information No. 2023/VULN066 _____________________________________________________________________ DATE : 13/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cortex XDR Agent versions prior to 7.5.101-CE, 5.0.12.22203. ====================================================================https://security.paloaltonetworks.com/CVE-2023-0001 https://security.paloaltonetworks.com/CVE-2023-0002 _____________________________________________________________________ CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password Severity 6 · MEDIUM Attack Vector LOCAL Scope UNCHANGED Attack Complexity LOW Confidentiality Impact HIGH Privileges Required HIGH Integrity Impact NONE User Interaction NONE Availability Impact HIGH NVD JSON Published 2023-02-08 Updated 2023-02-08 Reference CPATR-13152 Discovered internally Description An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent. Product Status Versions Affected Unaffected Cortex XDR Agent 7.9 None all Cortex XDR Agent 7.8 None all Cortex XDR Agent 7.5 < 7.5.101-CE on Windows >= 7.5.101-CE on Windows Cortex XDR Agent 5.0 None all Severity:MEDIUM CVSSv3.1 Base Score:6 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H) Weakness Type CWE-319 Cleartext Transmission of Sensitive Information Solution This issue is fixed in Cortex XDR agent 7.5.101-CE and all later supported Cortex XDR agent versions. (Cortex XDR agent 5.0 is not impacted.) After you upgrade to a fixed version of the Cortex XDR agent, you must change the agent admin password in case it was already disclosed to users. Workarounds and Mitigations There are no known workarounds for this issue. Acknowledgments Palo Alto Networks thanks Robert McCallum (M42D) for discovering and reporting this issue. Timeline 2023-02-08 Initial publication _____________________________________________________________________ CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User Severity 5.5 · MEDIUM Attack Vector LOCAL Scope UNCHANGED Attack Complexity LOW Confidentiality Impact NONE Privileges Required LOW Integrity Impact NONE User Interaction NONE Availability Impact HIGH NVD JSON Published 2023-02-08 Updated 2023-02-08 Reference CPATR-13215 and CPATR-13184 Discovered externally Description A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent. Product Status Versions Affected Unaffected Cortex XDR Agent 7.9 None all Cortex XDR Agent 7.8 None all Cortex XDR Agent 7.5 < 7.5.101-CE on Windows >= 7.5.101-CE on Windows Cortex XDR Agent 5.0 < 5.0.12.22203 on Windows >= 5.0.12.22203 on Windows Severity:MEDIUM CVSSv3.1 Base Score:5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Weakness Type CWE-693 Protection Mechanism Failure Solution This issue is fixed in Cortex XDR agent 5.0.12.22203, Cortex XDR agent 7.5.101-CE, and all later supported Cortex XDR agent versions. Workarounds and Mitigations There are no known workarounds for this issue. Acknowledgments Palo Alto Networks thanks Fernando Romero de la Morena and Robert McCallum (M42D) for discovering and reporting this issue. Timeline 2023-02-08 Initial publication ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================