A critical vulnerability in Palo Alto Networks, Cortex XSOAR system could have allowed an attacker to perform a command and control in the Cortex XSOAR War Room as well as perform other actions on the platform, without having to log in.

Found internally by Palo Alto, bug (CVE-2021-3044) may cause an incorrect license, which allows a remote, authenticated attacker with access to the network in the Cortex XSOAR server to perform malicious actions through the REST API, ” according to the security vendor’s on Tuesday. It scored 9.8 out of 10 on the CVSS vulnerability scale. 

Cortex XSOAR is a cybersecurity platform and is used in a wide variety of applications, such as automation in security operations, threat intelligence, it management, automatic tool to fix, automated ransomware remediation, and cloud security orchestration, according to the Palo Alto site. SOAR stands for “security orchestration, automation and response,” and, in the case of Palo Alto, the term is used to define a common approach to address the centralization of threat intelligence and security warnings on the resources. The Cortex platform and will also deploy automated workflows, and scripts, as well as real-time collaboration for teams. 

If the remote attackers can perform tasks and automate the System, and they could interfere with ongoing investigations, they can steal information about the victims and their cyber defense action plan, and much more. According to the online documentation, real-time studies are facilitated which allows analysts (and in the systems that are exposed to an attacker) to do the following:

• Run real-time security actions through the command-line interface, without switching consoles.
• Run security playbooks, scripts, and commands.
• Collaborate and execute remote actions across integrated products.
• Capture incident context from different sources.
• Document all actions in one source.
• Converse with others for joint investigations.

“When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc.,” the documentation reads.

A mitigating factor however is the fact that an adversary, as mentioned, would need to have access to the same network that the Cortex XSOAR is attached to, requiring an earlier compromise or exploit.

Affected Versions

Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;

Cortex XSOAR 6.2.0 builds earlier than 1271065.

This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions.

All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.

Mitigations

You must revoke all active integration API keys to fully mitigate the impact of this issue.

To revoke integration API keys from the Cortex XSOAR web client:

Settings > Integration > API Keys and then Revoke each API key.

You can create new API keys after you upgrade Cortex XSOAR to a fixed version.

Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue.