PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent
Informational
Description
The Palo Alto Networks Product Security Assurance team is aware of research presented by SafeBreach entitled "The Dark Side of EDR", describing a specifically crafted proof of concept (PoC) that bypasses Cortex XDR agent endpoint protection modules. Practical attack scenarios require administrative privileges to perform this bypass.
The technique presented is detected and blocked in agents with CU-1320 and later content updates. This issue does not represent a product vulnerability risk to customers using Cortex XDR agent. This issue is not applicable to Mac OS and Linux platforms.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent 8.4 | < Agents with content update earlier than CU-1320 on Windows | >= Agents with CU-1320 or a later content update on Windows |
| Cortex XDR Agent 8.3 | < Agents with content update earlier than CU-1320 on Windows | >= Agents with CU-1320 or a later content update on Windows |
| Cortex XDR Agent 8.2 | < Agents with content update earlier than CU-1320 on Windows | >= Agents with CU-1320 or a later content update on Windows |
| Cortex XDR Agent 8.1 | < Agents with content update earlier than CU-1320 on Windows | >= Agents with CU-1320 or a later content update on Windows |
| Cortex XDR Agent 8.0 | < Agents with content update earlier than CU-1320 on Windows | >= Agents with CU-1320 or a later content update on Windows |
| Cortex XDR Agent 7.9 | < Agents with content update earlier than CU-1320 on Windows | >= Agents with CU-1320 or a later content update on Windows |
| Cortex XDR Agent 5.0 | All agents on Windows |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Solution
Cortex XDR agent content update CU-1320 detects and prevents this technique.
No updates are planned for Cortex XDR agent 5.0 as it does not have the relevant Behavioral Threat Protection module required to detect this technique.