Palo Alto Networks fixes critical flaw (CVE-2021-3044) in Cortex XSOAR

Palo Alto Networks addresses a critical improper authorization vulnerability (CVE-2021-3044) affecting its Cortex XSOAR security orchestration solution, automation and response (SOAR) platform.

Researchers from Palo Alto Networks discovered and addresses a critical improper authorization vulnerability, tracked as CVE-2021-3044, that affects its Cortex XSOAR SOAR platform. The CVE-2021-3044 vulnerability received a CVSS score of 9.8.

A remote, unauthenticated attacker with network access to the Cortex XSOAR server could exploit the vulnerability perform unauthorized actions through the REST API.

“An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API.” reads the security advisory published by the security vendor. “This issue is not a remote code execution vulnerability. This issue enables an unauthorized attacker to perform actions on behalf of an active Cortex XSOAR integration, which includes running commands and automations in the Cortex XSOAR War Room.”

This vulnerability impacts:

• Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;
• Cortex XSOAR 6.2.0 builds earlier than 1271065.

Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions are not impacted.

The security vendor also provides workarounds for this issue, it suggests revoking all active integration API keys to fully mitigate the impact of this issue and restricting network access to the XSOAR server.

Palo Alto Networks is not aware of any attacks exploiting the CVE-2021-3044 vulnerability.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Palo Alto Networks)

[adrotate banner=”5″]

[adrotate banner=”13″]