Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
06.22.21

CVE-2021-3044 Vulnerability: Cortex XSOAR

By Deepwatch, 

[Editor’s Note] Deepwatch has successfully upgraded the Palo Alto Cortex XSOAR platform to a version that is not vulnerable.  The upgrade was completed 6/23/21 at 10PM EST without a lapse in coverage.

Executive Summary

Deepwatch is currently tracking and mitigating the recent Cortex XSOAR CVE (CVE-2021-3044) which presents a risk to unauthorized usage of the REST API. At the time of Palo Alto Network’s advisory[1], no evidence of exploitation had been identified in the wild. 

What is Deepwatch doing?

Deepwatch has identified that our Cortex XSOAR version is impacted by this vulnerability, and has taken these steps to mitigate:

  • Deepwatch has taken the steps to eliminate our exposure by implementing use cases to monitor invalid API usage;
  • Deepwatch has also activated our emergency change management protocol to upgrade to a non-affected version of Cortex XSOAR;
  • Deepwatch has had and maintains limited access to the Cortex XSOAR environment.




Supporting Details

Affected Cortex XSOAR Versions:

  • Cortex XSOAR 6.2.0 Build < 1271065
  • Cortex XSOAR 6.1.0 Build >= 1016923 and < 1271064

CVSS Details

  • Severity: 9.8
  • Attack Vector: Network
  • Attack Complexity: Low
  • User Interaction: None
  • Required Privileges: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Who is affected?

Only specific Cortex XSOAR versions and instances that are configured with active API key integrations are affected. To determine if your organization is affected, check the version and build number in context to the CVE, and view the  ‘Settings > Integration > API Keys’ details from the Cortex XSOAR web client for current and future API keys.

Workarounds & Mitigations

Palo Alto Networks has provided a list of workarounds and mitigations for organizations with affected Cortex XSOAR versions; these workarounds and mitigations include the following[1]:

  • To fully mitigate the issue, revoke all active integration API keys.
    • To revoke integration API keys from the Cortex XSOAR web client:
      • Settings > Integration > API Keys and then Revoke each API key.
    • Note: You can create new API keys after you upgrade Cortex XSOAR to a fixed version.
  • To reduce the impact of the issue, restrict network access to the Cortex XSOAR server to allow only trusted users.
  • To monitor the issue, review logs via Splunk for updates to user invites and API key creation (where index=demisto is ingested server.log).
    • New user creation
      • index=demisto “*/home/circleci/.go_workspace/src/github.com/demisto/server/repoDB/complexRepo/invite.go*” | rex ” invite (for? )?(?<invite>\S+)” | table _time invite
    • New API key creation
      • index=demisto “*/builds/gopath/src/github.com/demisto/server/web/middleware.go*” (apikeys AND “*POST*”) | table _raw

Sources

  1. https://security.paloaltonetworks.com/CVE-2021-3044 

Learn more about Deepwatch Vulnerability Management here.

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Significant Cyber Event | Intelligence Report – Nobelium

Next post

CVE-2021-1675 – PrintNightmare Vulnerability

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy