Distant, unauthenticated cyberattackers can infiltrate and consider around the Cortex XSOAR platform, which anchors unified menace intelligence and incident responses.
A critical security bug in Palo Alto Networks’ Cortex XSOAR could allow for remote attackers to operate instructions and automations in the Cortex XSOAR War Room and to just take other actions on the platform, without the need of having to log in.
Discovered internally by Palo Alto, the bug (CVE-2021-3044) is an inappropriate-authorization vulnerability that “enables a remote unauthenticated attacker with network entry to the Cortex XSOAR server to carry out unauthorized steps via the Rest API,” in accordance to the security vendor’s Tuesday advisory. It premiums 9.8 out of 10 on the CVSS vulnerability-severity scale.
Cortex XSOAR Bug: Security Effect
Cortex XSOAR is a cybersecurity protection platform applied in a wide variety of use instances, which include security functions automation, menace-intelligence management, automatic ransomware remediation and cloud-security orchestration, in accordance to Palo Alto’s website. SOAR stands for “security orchestration, automation and reaction,” and in Palo Alto’s scenario the phrase is utilized to indicate taking a unified solution to centralizing danger intelligence and security alerts across sources. The Cortex platform also implements automatic workflows and reaction playbooks, and permits real-time collaboration between teams.
As these kinds of, it is the nexus of a company’s security response.
If remote attackers can run commands and automations in the War Home, they can probably subvert ongoing security investigations, steal details about a victim’s cyber-protection action plans and additional. According to Palo Alto’s online documentation, actual-time investigations are facilitated as a result of the War Place, which makes it possible for analysts (and on vulnerable programs, remote attackers) to do the subsequent:
- Run true-time security steps through the command-line interface, with out switching consoles.
- Run security playbooks, scripts and instructions.
- Collaborate and execute remote actions throughout built-in items.
- Capture incident context from diverse resources.
- Doc all actions in a person resource.
- Converse with other people for joint investigations.
“When you open up the War Area, you can see a variety of entries these types of as instructions, notes, evidence, tasks, and so forth.,” the documentation reads.
A mitigating factor nonetheless is the truth that an adversary, as outlined, would need to have accessibility to the exact same network that the Cortex XSOAR is attached to, demanding an before compromise or exploit.
Affected Versions and Patches
The issue impacts only Cortex XSOAR configurations with energetic API vital integrations, and specifically the adhering to variations: Cortex XSOAR 6.1. builds afterwards than 1016923 and previously than 1271064 and Cortex XSOAR 6.2. builds before than 1271065.
To guard by themselves, consumers should really update to the most current edition and have to revoke all energetic integration API keys to totally mitigate the impression of the issue, the seller pointed out. Buyers can create new API keys following the improve is accomplished.
Palo Alto explained that it’s not informed of any exploitation of the bug in the wild.
Sign up for Threatpost for “Tips and Strategies for Superior Menace Hunting” — a Stay function on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Discover from Palo Alto’s Unit 42 gurus the finest way to hunt down threats and how to use automation to aid. Register HERE for absolutely free!
Some sections of this report are sourced from: