Palo Alto Networks Security Advisories / PAN-SA-2020-0010

PAN-SA-2020-0010 Informational: Cortex XSOAR: Impact of Linux and Docker vulnerabilities on Cortex XSOAR

047910
Severity 0 · NONE
Attack Vector Not applicable
Scope Not applicable
Attack Complexity Not applicable
Confidentiality Impact NONE
Privileges Required Not applicable
Integrity Impact NONE
User Interaction Not applicable
Availability Impact NONE

Description

Cortex XSOAR provides analysts with the option to specify the Docker image to use for running custom scripts and integrations. An analyst who has write permission to scripts or integrations is able to exploit Docker vulnerabilities such as CVE-2019-5736, or Linux kernel vulnerability such as CVE-2020-14386 to obtain root access on the Cortex XSOAR server.

Demisto Server does not use the docker exec command and does not expose a mechanism for an external attacker to manipulate or provide an attacker-controlled image for execution. Thus, CVE-2019-5736 does not increase exposure to an external attack.

CVE-2019-5021 is a vulnerability in Alpine Linux Docker images where the root password may be NULL. Cortex XSOAR has conducted a scan of all Docker images it maintains in its Docker Hub repository. Following the scan, we concluded that none of the Alpine-based images are affected by CVE-2019-5021 because they do not include either the shadow or linux-pam packages.

No Cortex XSOAR Docker images are impacted by CVE-2019-5021.

CVECVSSSummary
CVE-2020-143867.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)Conditions required for exploiting this vulnerability do not exist in Cortex XSOAR software when using Linux kernel version 5.9-rc4 and later or Linux kernel version 4.6 and older.
CVE-2019-57368.6 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)Conditions required for exploiting this vulnerability do not exist in Cortex XSOAR software when using Docker version 18.09.2 and later.
CVE-2019-50219.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)This is a vulnerability in Alpine Linux Docker images where root password may be NULL. All Alpine Linux based Docker images for Cortex XSOAR do not include either the shadow or linux-pam packages required for this vulnerability. Hence Cortex XSOAR software is not impacted.

Product Status

VersionsAffectedUnaffected
Cortex XSOAR allNoneall

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Weakness Type

CWE-216 Containment Errors (Container Errors)

Solution

No Palo Alto Networks Cortex XSOAR product updates are required.

Upgrade Docker to the latest version (18.09.2 or later) as provided by your Linux vendor.

Upgrading affected Linux kernels to the latest available patch provided by your Linux vendor.

Workarounds and Mitigations

Mitigate CVE-2020-14386 by not running Docker containers as a root user. A non-root user within a container does not have access to raw packets (CAP_NET_RAW capability). Follow the Cortex XSOAR Hardening Guide to configure a non-root internal user for docker: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/docker/docker-hardening-guide.html .

Mitigate CVE-2019-5736 by disabling write access to scripts and integrations to untrusted analysts.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.