PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator
Informational
Description
The Palo Alto Networks Product Security Assurance team is aware of a method that can enable a local administrator to tamper with the Windows registry to disable the Cortex XDR agent on devices running a Windows operating system.
As a result of this method, critical Windows system services would not be available and normal usage of the device would be disrupted. Please note, the device must be rebooted for this to take effect.
This issue is not a new security impact on the confidentiality, integrity, or availability of the system because a local Windows administrator has the ability to disrupt normal usage of the device without employing this method.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent | All agents with a content update earlier than CU-860 on Windows | All agents with CU-860 or a later content update |
Required Configuration for Exposure
This method is applicable only to Cortex XDR agent deployments on Windows that use an allow list to exclude some local file system resources from analysis.
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Solution
This method is prevented by Cortex XDR agents on Windows with content update 860 and later content update versions.