Share this article:
Remote, unauthenticated cyberattackers can infiltrate and take over the Cortex XSOAR platform, which anchors unified threat intelligence and incident responses.
A critical security bug in Palo Alto Networks’ Cortex XSOAR could allow remote attackers to run commands and automations in the Cortex XSOAR War Room and to take other actions on the platform, without having to log in.
Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorization vulnerability that “enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API,” according to the security vendor’s Tuesday advisory. It rates 9.8 out of 10 on the CVSS vulnerability-severity scale.
Cortex XSOAR is a cybersecurity defense platform used in a variety of use cases, including security operations automation, threat-intelligence management, automated ransomware remediation and cloud-security orchestration, according to Palo Alto’s website. SOAR stands for “security orchestration, automation and response,” and in Palo Alto’s case the term is used to mean taking a unified approach to centralizing threat intelligence and security alerts across sources. The Cortex platform also implements automated workflows and response playbooks, and allows real-time collaboration between teams.
As such, it’s the nexus of a company’s security response.
If remote attackers can run commands and automations in the War Room, they can potentially subvert ongoing security investigations, steal information about a victim’s cyber-defense action plans and more. According to Palo Alto’s online documentation, real-time investigations are facilitated through the War Room, which allows analysts (and on vulnerable systems, remote attackers) to do the following:
“When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc.,” the documentation reads.
A mitigating factor however is the fact that an adversary, as mentioned, would need to have access to the same network that the Cortex XSOAR is attached to, requiring an earlier compromise or exploit.
The issue impacts only Cortex XSOAR configurations with active API key integrations, and specifically the following versions: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; and Cortex XSOAR 6.2.0 builds earlier than 1271065.
To protect themselves, users should update to the latest version.
Palo Alto said that it’s not aware of any exploitation of the bug in the wild.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!
Share this article:
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.