Palo Alto Networks Security Advisories / CVE-2021-3051

CVE-2021-3051 Cortex XSOAR: Authentication Bypass in SAML Authentication

047910
Severity 8.1 · HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR SAML authentication that enables an unauthenticated network-based attacker with specific knowledge of the Cortex XSOAR instance to access protected resources and perform unauthorized actions on the Cortex XSOAR server.

This issue impacts:

Cortex XSOAR 5.5.0 builds earlier than 1578677;

Cortex XSOAR 6.1.0 builds earlier than 1578663;

Cortex XSOAR 6.2.0 builds earlier than 1578666.

All Cortex XSOAR instances hosted by Palo Alto Networks are protected from this vulnerability; no additional action is required for these instances.

Product Status

VersionsAffectedUnaffected
Cortex XSOAR 6.2.0< 1578666>= 1578666
Cortex XSOAR 6.1.0< 1578663>= 1578663
Cortex XSOAR 5.5.0< 1578677>= 1578677

Required Configuration for Exposure

This issue is applicable only to Cortex XSOAR configurations with SAML authentication integration enabled.

You can determine if your configuration has SAML authentication integration enabled by selecting 'Settings > Servers & Services' and searching for 'SAML'.

Severity: HIGH

CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-347 Improper Verification of Cryptographic Signature

Solution

This issue is fixed in Cortex XSOAR 5.5.0 build 1578677, Cortex XSOAR 6.1.0 build 1578663, Cortex XSOAR 6.2.0 build 1578666, and all later Cortex XSOAR versions.

Workarounds and Mitigations

To completely prevent this issue from being exploited before you can upgrade your Cortex XSOAR server, disable SAML authentication integration.

You can also restrict network access to the Cortex XSOAR server to allow only trusted users to further reduce the impact of this issue.

Acknowledgments

This issue was found by a customer of Palo Alto Networks during a security review.

Frequently Asked Questions

Q. Are there any indicators of compromise or breach related to this vulnerability?

Cortex XSOAR Audit Trail will list all performed administrative actions. The presence of unexpected actions, new integrations, or additional users sometimes indicates a breach. To view an audit trail, select 'Settings > Users and Roles > Audit Trail' from the web client.

Q. Is this issue a remote code execution (RCE) vulnerability?

This issue is not a remote code execution (RCE) vulnerability. This issue enables an unauthorized attacker with specific knowledge of the instance to perform actions on behalf of a Cortex XSOAR administrator.

Q. Has this issue been exploited in the wild?

No evidence of active exploitation was identified at the time this advisory was published.

Q. What logs should I examine for clues of a compromise?

You can examine the Cortex XSOAR Audit Trail and the application server log (/var/log/demisto/server.log) for clues that indicate a compromise.

The presence of new or unexpected users and API keys might indicate a compromise.

Timeline

Removed unsupported Cortex XSOAR versions from solution
Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.