CVE-2023-0001: CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password

Palo Alto Networks Security Advisories / CVE-2023-0001

Attack Vector LOCAL

Scope UNCHANGED

Attack Complexity LOW

Confidentiality Impact HIGH

Privileges Required HIGH

Integrity Impact NONE

User Interaction NONE

Availability Impact HIGH

NVD JSON

Published 2023-02-08

Updated 2023-02-08

Reference CPATR-13152

Discovered internally

Description

An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent.

Product Status

Versions

Affected

Unaffected

Cortex XDR Agent 7.9

None

all

Cortex XDR Agent 7.8

None

all

Cortex XDR Agent 7.5

< 7.5.101-CE on Windows

>= 7.5.101-CE on Windows

Cortex XDR Agent 5.0

None

all

Severity:MEDIUM

CVSSv3.1 Base Score:6 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H)

Weakness Type

CWE-319 Cleartext Transmission of Sensitive Information

Solution

This issue is fixed in Cortex XDR agent 7.5.101-CE and all later supported Cortex XDR agent versions. (Cortex XDR agent 5.0 is not impacted.)

After you upgrade to a fixed version of the Cortex XDR agent, you must change the agent admin password in case it was already disclosed to users.

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

Palo Alto Networks thanks Robert McCallum (M42D) for discovering and reporting this issue.

Timeline

2023-02-08 Initial publication