PAN-SA-2022-0004 Informational: Cortex XDR Agent: Allow List is Visible to Low Privileged Users
Informational
Description
The Palo Alto Networks Product Security Assurance team is aware of a method that enables a low privileged user on a Windows device to determine which local file system resources are part of the Cortex XDR agent’s configured allow list. These files are not analyzed by the agent and knowledge of the allow list can aid an attacker in environments where the allow list is misconfigured to be overly permissive.
Knowledge of this information does not impact the behavioral threat protection, malware scanning, or other endpoint protection capabilities that detect security events and prevent attacks in areas of the local filesystem that are not part of the allow list.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent | All agents with a content update earlier than CU-630 on Windows | All agents with CU-630 or a later content update |
Required Configuration for Exposure
This method is applicable only to Cortex XDR agent deployments that use an allow list to exclude some local file system resources from analysis.
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. However, details of this method are expected to become publicly available.
Solution
This method is detected by Cortex XDR agents on Windows with content update 630 and later content update versions.