Critical Palo Alto Cyber-Defense Bug Allows Remote ‘War Room’ Access

Remote, unauthenticated cyberattackers can infiltrate and take over the Cortex XSOAR platform, which anchors unified threat intelligence and incident responses.

A critical security bug in Palo Alto Networks’ Cortex XSOAR could allow remote attackers to run commands and automations in the Cortex XSOAR War Room and to take other actions on the platform, without having to log in.

Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorization vulnerability that “enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API,” according to the security vendor’s Tuesday advisory. It rates 9.8 out of 10 on the CVSS vulnerability-severity scale.

Cortex XSOAR Bug: Security Impact

Cortex XSOAR is a cybersecurity defense platform used in a variety of use cases, including security operations automation, threat-intelligence management, automated ransomware remediation and cloud-security orchestration, according to Palo Alto’s website. SOAR stands for “security orchestration, automation and response,” and in Palo Alto’s case the term is used to mean taking a unified approach to centralizing threat intelligence and security alerts across sources. The Cortex platform also implements automated workflows and response playbooks, and allows real-time collaboration between teams.

As such, it’s the nexus of a company’s security response.

If remote attackers can run commands and automations in the War Room, they can potentially subvert ongoing security investigations, steal information about a victim’s cyber-defense action plans and more. According to Palo Alto’s online documentation, real-time investigations are facilitated through the War Room, which allows analysts (and on vulnerable systems, remote attackers) to do the following:

  • Run real-time security actions through the command-line interface, without switching consoles.
  • Run security playbooks, scripts and commands.
  • Collaborate and execute remote actions across integrated products.
  • Capture incident context from different sources.
  • Document all actions in one source.
  • Converse with others for joint investigations.

“When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc.,” the documentation reads.

A mitigating factor however is the fact that an adversary, as mentioned, would need to have access to the same network that the Cortex XSOAR is attached to, requiring an earlier compromise or exploit.

Affected Versions and Patches

The issue impacts only Cortex XSOAR configurations with active API key integrations, and specifically the following versions: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; and Cortex XSOAR 6.2.0 builds earlier than 1271065.

To protect themselves, users should update to the latest version.

Palo Alto said that it’s not aware of any exploitation of the bug in the wild.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles