Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3044: CVE-2021-3044 Cortex XSOAR: Unauthorized Usage of the REST API

An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.

CVE
#vulnerability#web#js#rce#auth

Palo Alto Networks Security Advisories / CVE-2021-3044

Attack Vector NETWORK

Scope UNCHANGED

Attack Complexity LOW

Confidentiality Impact HIGH

Privileges Required NONE

Integrity Impact HIGH

User Interaction NONE

Availability Impact HIGH

NVD JSON

Published 2021-06-22

Updated 2021-06-23

Reference

Discovered internally

Description

An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API.

This issue impacts:

Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;

Cortex XSOAR 6.2.0 builds earlier than 1271065.

This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions.

All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.

Product Status

Versions

Affected

Unaffected

Cortex XSOAR 6.2.0

< 1271065

>= 1271065

Cortex XSOAR 6.1.0

>= 1016923 and < 1271064

< 1016923, >= 1271064

Cortex XSOAR 6.0.2

None

all

Cortex XSOAR 6.0.1

None

all

Cortex XSOAR 6.0.0

None

all

Cortex XSOAR 5.5.0

None

all

Required Configuration for Exposure

This issue is applicable only to Cortex XSOAR configurations with active API key integrations.

You can determine whether your configuration is impacted by selecting ‘Settings > Integration > API Keys’ from the Cortex XSOAR web client.

Severity:CRITICAL

CVSSv3.1 Base Score:9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-285 Improper Authorization

Solution

This issue is fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later Cortex XSOAR versions.

Revoking the active integration API keys is not required if the XSOAR server is upgraded.

Workarounds and Mitigations

Until the XSOAR server is upgraded, to completely prevent the issue from being exploited, you must revoke all active integration API keys as a workaround.

To revoke integration API keys from the Cortex XSOAR web client:

Settings > Integration > API Keys and then Revoke each API key.

You can create new API keys after you upgrade Cortex XSOAR to a fixed version.

Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue.

Acknowledgments

This issue was found during internal security review.

Frequently Asked Questions****Q. Are there any indicators of compromise or breach related to this vulnerability?

Cortex XSOAR Audit Trail will list all performed administrative actions. The presence of unexpected actions, new integrations, or additional users could indicate a breach. To view an audit trail, select Settings > Users and Roles > Audit Trail from the web client.

NOTE: exploitation of this vulnerability can impact the integrity of audit trails, which means you cannot use an audit trail to conclusively determine that the Cortex XSOAR instance was not compromised.

Q. Is this issue a remote code execution (RCE) vulnerability?

This issue is not a remote code execution vulnerability. This issue enables an unauthorized attacker to perform actions on behalf of an active Cortex XSOAR integration, which includes running commands and automations in the Cortex XSOAR War Room.

Q. Has this issue been exploited in the wild?

No evidence of active exploitation was identified at the time this advisory was published.

Q. What logs should I examine for clues of a compromise?

You can examine the Cortex XSOR Audit Trails and the application server log (/var/log/demisto/server.log) for clues that indicate a compromise.

The presence of new or unexpected users and API keys may indicate a compromise.

Q. Should I still revoke the keys if I am upgrading the XSOAR server?

No. This vulnerability does not allow an attacker to read the existing API keys. Unless there are unexpected or suspicious API keys, revoking them is not required if the server has been upgraded.

Timeline

2021-06-23 Updated workaround and solution sections to clarify API key revocation.

2021-06-22 Initial publication.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907