PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files
Description
An information exposure vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local user to learn the cryptographic hash of the supervisor password when generating support files on a deployed agent.
An attacker must crack the supervisor password hash to make unauthorized changes to the local Cortex XDR agent. This issue has no security impact if the attacker cannot crack the supervisor password hash.
We are working diligently to address this issue in a new version of the Cortex XDR agent. This issue impacts all versions of the Cortex XDR agent but is significantly mitigated with the use of a secure supervisor password.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent | all |
Severity:LOW
CVSSv3.1 Base Score:3.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. However, details of this issue are publicly available.
Weakness Type
CWE-532 Information Exposure Through Log Files
Solution
We will fix this issue in a new release of the Cortex XDR agent. We will update this advisory when the version information for the fixed Cortex XDR agent is available.
Workarounds and Mitigations
You should ensure that the Cortex XDR agent supervisor password is as complex as possible to make it infeasible for an attacker to crack and to mitigate the impact of this issue. Cortex XDR Server can enforce minimum password complexity requirements to ensure sufficiently secure passwords are used.