Palo Alto Networks Security Advisories / PAN-SA-2022-0005

PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator


Informational

Description

The Palo Alto Networks Product Security Assurance team is aware of a method that can enable a local administrator to tamper with the Windows registry to disable the Cortex XDR agent on devices running a Windows operating system.

As a result of this method, critical Windows system services would not be available and normal usage of the device would be disrupted. Please note, the device must be rebooted for this to take effect.

This issue is not a new security impact on the confidentiality, integrity, or availability of the system because a local Windows administrator has the ability to disrupt normal usage of the device without employing this method.

Product Status

VersionsAffectedUnaffected
Cortex XDR Agent All agents with a content update earlier than CU-760 on WindowsAll agents with CU-760 or a later content update

Required Configuration for Exposure

This method is applicable only to Cortex XDR agent deployments on Windows that use an allow list to exclude some local file system resources from analysis.

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Solution

This method is prevented by Cortex XDR agents on Windows with content update 760 and later content update versions.

Acknowledgments

Palo Alto Networks thanks Milad Fadavvi of Zalando, Ben Tamam, Josh Shepard, Maarten Pentinga and Khalid Latifi for discovering and reporting tampering methods related to this issue.

Timeline

Updated the content version necessary to prevent methods related to this issue
Initial publication
© 2023 Palo Alto Networks, Inc. All rights reserved.