CVE-2021-3044 Cortex XSOAR: Unauthorized Usage of the REST API
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API.
This issue impacts:
Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;
Cortex XSOAR 6.2.0 builds earlier than 1271065.
This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions.
All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.
|Cortex XSOAR 6.2.0||< 1271065||>= 1271065|
|Cortex XSOAR 6.1.0||>= 1016923 and < 1271064||< 1016923, >= 1271064|
|Cortex XSOAR 6.0.2||None||all|
|Cortex XSOAR 6.0.1||None||all|
|Cortex XSOAR 6.0.0||None||all|
|Cortex XSOAR 5.5.0||None||all|
Required Configuration for Exposure
This issue is applicable only to Cortex XSOAR configurations with active API key integrations.
You can determine whether your configuration is impacted by selecting ‘Settings > Integration > API Keys’ from the Cortex XSOAR web client.
CVSSv3.1 Base Score:9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.
This issue is fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later Cortex XSOAR versions.
Revoking the active integration API keys is not required if the XSOAR server is upgraded.
Workarounds and Mitigations
Until the XSOAR server is upgraded, to completely prevent the issue from being exploited, you must revoke all active integration API keys as a workaround.
To revoke integration API keys from the Cortex XSOAR web client:
Settings > Integration > API Keys and then Revoke each API key.
You can create new API keys after you upgrade Cortex XSOAR to a fixed version.
Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue.
Frequently Asked Questions
Q. Are there any indicators of compromise or breach related to this vulnerability?
Cortex XSOAR Audit Trail will list all performed administrative actions. The presence of unexpected actions, new integrations, or additional users could indicate a breach. To view an audit trail, select Settings > Users and Roles > Audit Trail from the web client.
NOTE: exploitation of this vulnerability can impact the integrity of audit trails, which means you cannot use an audit trail to conclusively determine that the Cortex XSOAR instance was not compromised.
Q. Is this issue a remote code execution (RCE) vulnerability?
This issue is not a remote code execution vulnerability. This issue enables an unauthorized attacker to perform actions on behalf of an active Cortex XSOAR integration, which includes running commands and automations in the Cortex XSOAR War Room.
Q. Has this issue been exploited in the wild?
No evidence of active exploitation was identified at the time this advisory was published.
Q. What logs should I examine for clues of a compromise?
You can examine the Cortex XSOR Audit Trails and the application server log (/var/log/demisto/server.log) for clues that indicate a compromise.
The presence of new or unexpected users and API keys may indicate a compromise.
Q. Should I still revoke the keys if I am upgrading the XSOAR server?
No. This vulnerability does not allow an attacker to read the existing API keys. Unless there are unexpected or suspicious API keys, revoking them is not required if the server has been upgraded.