Palo Alto Networks Security Advisories / CVE-2021-3044

CVE-2021-3044 Cortex XSOAR: Unauthorized Usage of the REST API

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API.

This issue impacts:

Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;

Cortex XSOAR 6.2.0 builds earlier than 1271065.

This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions.

All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.

Product Status

VersionsAffectedUnaffected
Cortex XSOAR 6.2.0< 1271065>= 1271065
Cortex XSOAR 6.1.0>= 1016923 and < 1271064< 1016923, >= 1271064
Cortex XSOAR 6.0.2Noneall
Cortex XSOAR 6.0.1Noneall
Cortex XSOAR 6.0.0Noneall
Cortex XSOAR 5.5.0Noneall

Required Configuration for Exposure

This issue is applicable only to Cortex XSOAR configurations with active API key integrations.

You can determine whether your configuration is impacted by selecting ‘Settings > Integration > API Keys’ from the Cortex XSOAR web client.

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-285 Improper Authorization

Solution

This issue is fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later Cortex XSOAR versions.

Revoking the active integration API keys is not required if the XSOAR server is upgraded.

Workarounds and Mitigations

Until the XSOAR server is upgraded, to completely prevent the issue from being exploited, you must revoke all active integration API keys as a workaround.

To revoke integration API keys from the Cortex XSOAR web client:

Settings > Integration > API Keys and then Revoke each API key.

You can create new API keys after you upgrade Cortex XSOAR to a fixed version.

Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue.

Acknowledgments

This issue was found during internal security review.

Frequently Asked Questions

Q. Are there any indicators of compromise or breach related to this vulnerability?

Cortex XSOAR Audit Trail will list all performed administrative actions. The presence of unexpected actions, new integrations, or additional users could indicate a breach. To view an audit trail, select Settings > Users and Roles > Audit Trail from the web client.

NOTE: exploitation of this vulnerability can impact the integrity of audit trails, which means you cannot use an audit trail to conclusively determine that the Cortex XSOAR instance was not compromised.

Q. Is this issue a remote code execution (RCE) vulnerability?

This issue is not a remote code execution vulnerability. This issue enables an unauthorized attacker to perform actions on behalf of an active Cortex XSOAR integration, which includes running commands and automations in the Cortex XSOAR War Room.

Q. Has this issue been exploited in the wild?

No evidence of active exploitation was identified at the time this advisory was published.

Q. What logs should I examine for clues of a compromise?

You can examine the Cortex XSOR Audit Trails and the application server log (/var/log/demisto/server.log) for clues that indicate a compromise.

The presence of new or unexpected users and API keys may indicate a compromise.

Q. Should I still revoke the keys if I am upgrading the XSOAR server?

No. This vulnerability does not allow an attacker to read the existing API keys. Unless there are unexpected or suspicious API keys, revoking them is not required if the server has been upgraded.

Timeline

Updated workaround and solution sections to clarify API key revocation.
Initial publication.
© 2020 Palo Alto Networks, Inc. All rights reserved.