Palo Alto Networks Security Advisories / PAN-SA-2022-0001

PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files

047910
Severity 3.3 · LOW
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact LOW
Privileges Required LOW
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE

Description

An information exposure vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local user to learn the cryptographic hash of the supervisor password when generating support files on a deployed agent.

An attacker must crack the supervisor password hash to make unauthorized changes to the local Cortex XDR agent. This issue has no security impact if the attacker cannot crack the supervisor password hash.

We are working diligently to address this issue in a new version of the Cortex XDR agent. This issue impacts all versions of the Cortex XDR agent but is significantly mitigated with the use of a secure supervisor password.

Product Status

VersionsAffectedUnaffected
Cortex XDR Agent all

Severity:LOW

CVSSv3.1 Base Score:3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. However, details of this issue are publicly available.

Weakness Type

CWE-532 Information Exposure Through Log Files

Solution

We will fix this issue in a new release of the Cortex XDR agent. We will update this advisory when the version information for the fixed Cortex XDR agent is available.

Workarounds and Mitigations

You should ensure that the Cortex XDR agent supervisor password is as complex as possible to make it infeasible for an attacker to crack and to mitigate the impact of this issue. Cortex XDR Server can enforce minimum password complexity requirements to ensure sufficiently secure passwords are used.

Acknowledgments

This issue was found by mr.d0x, an external security researcher.

Timeline

Initial publication
© 2022 Palo Alto Networks, Inc. All rights reserved.