Headline
CVE-2023-0002: CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent.
Palo Alto Networks Security Advisories / CVE-2023-0002
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required LOW
Integrity Impact NONE
User Interaction NONE
Availability Impact HIGH
NVD JSON
Published 2023-02-08
Updated 2023-02-08
Reference CPATR-13215 and CPATR-13184
Discovered externally
Description
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent.
Product Status
Versions
Affected
Unaffected
Cortex XDR Agent 7.9
None
all
Cortex XDR Agent 7.8
None
all
Cortex XDR Agent 7.5
< 7.5.101-CE on Windows
>= 7.5.101-CE on Windows
Cortex XDR Agent 5.0
< 5.0.12.22203 on Windows
>= 5.0.12.22203 on Windows
Severity:MEDIUM
CVSSv3.1 Base Score:5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Weakness Type
CWE-693 Protection Mechanism Failure
Solution
This issue is fixed in Cortex XDR agent 5.0.12.22203, Cortex XDR agent 7.5.101-CE, and all later supported Cortex XDR agent versions.
Workarounds and Mitigations
There are no known workarounds for this issue.
Acknowledgments
Palo Alto Networks thanks Fernando Romero de la Morena and Robert McCallum (M42D) for discovering and reporting this issue.
Timeline
2023-02-08 Initial publication