Palo Alto Networks Security Advisories / PAN-SA-2020-0010

PAN-SA-2020-0010 Informational: Cortex XSOAR: Impact of Linux and Docker vulnerabilities on Cortex XSOAR

047910
Severity 0 · NONE
Attack Vector PHYSICAL
Attack Complexity HIGH
Privileges Required HIGH
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

Cortex XSOAR provides analysts with the option to specify the Docker image to use for running custom scripts and integrations. An analyst who has write permission to scripts or integrations is able to exploit Docker vulnerabilities such as CVE-2019-5736, or Linux kernel vulnerability such as CVE-2020-14386 to obtain root access on the Cortex XSOAR server.

Demisto Server does not use the docker exec command and does not expose a mechanism for an external attacker to manipulate or provide an attacker-controlled image for execution. Thus, CVE-2019-5736 does not increase exposure to an external attack.

CVE-2019-5021 is a vulnerability in Alpine Linux Docker images where the root password may be NULL. Cortex XSOAR has conducted a scan of all Docker images it maintains in its Docker Hub repository. Following the scan, we concluded that none of the Alpine-based images are affected by CVE-2019-5021 because they do not include either the shadow or linux-pam packages.

No Cortex XSOAR Docker images are impacted by CVE-2019-5021.

Product Status

VersionsAffectedUnaffected
Cortex XSOAR allNoneall

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Weakness Type

CWE-216 Containment Errors (Container Errors)

Solution

No Palo Alto Networks Cortex XSOAR product updates are required.

Upgrade Docker to the latest version (18.09.2 or later) as provided by your Linux vendor.

Upgrading affected Linux kernels to the latest available patch provided by your Linux vendor.

Workarounds and Mitigations

Mitigate CVE-2020-14386 by not running Docker containers as a root user. A non-root user within a container does not have access to raw packets (CAP_NET_RAW capability). Follow the Cortex XSOAR Hardening Guide to configure a non-root internal user for docker: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/docker/docker-hardening-guide.html .

Mitigate CVE-2019-5736 by disabling write access to scripts and integrations to untrusted analysts.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.