PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files
Description
An information exposure vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local user to learn the cryptographic hash of the supervisor password when generating support files on a deployed agent.
An attacker must crack the supervisor password hash to make unauthorized changes to the local Cortex XDR agent. This issue has no security impact if the attacker cannot crack the supervisor password hash.
This issue is fixed in Cortex XDR agent 7.4.1 and all later agent versions. The impact of this issue is significantly mitigated with the use of a secure supervisor password.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent 7.5 CE | None | all |
| Cortex XDR Agent 7.9 | None | all |
| Cortex XDR Agent 7.8 | None | all |
| Cortex XDR Agent 7.4 | < 7.4.1 | >= 7.4.1 |
| Cortex XDR Agent 5.0 | all |
Severity: LOW
CVSSv3.1 Base Score: 3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. However, details of this issue are publicly available.
Weakness Type
CWE-532 Information Exposure Through Log Files
Solution
This issue is fixed in Cortex XDR agent 7.4.1 and all later agent versions.
Workarounds and Mitigations
You should ensure that the Cortex XDR agent supervisor password is as complex as possible to make it infeasible for an attacker to crack and to mitigate the impact of this issue. Cortex XDR Server can enforce minimum password complexity requirements to ensure sufficiently secure passwords are used.