[Editor’s Note] Deepwatch has successfully upgraded the Palo Alto Cortex XSOAR platform to a version that is not vulnerable.  The upgrade was completed 6/23/21 at 10PM EST without a lapse in coverage.

Executive Summary

Deepwatch is currently tracking and mitigating the recent Cortex XSOAR CVE (CVE-2021-3044) which presents a risk to unauthorized usage of the REST API. At the time of Palo Alto Network’s advisory[1], no evidence of exploitation had been identified in the wild. 

What is Deepwatch doing?

Deepwatch has identified that our Cortex XSOAR version is impacted by this vulnerability, and has taken these steps to mitigate:

• Deepwatch has taken the steps to eliminate our exposure by implementing use cases to monitor invalid API usage;
• Deepwatch has also activated our emergency change management protocol to upgrade to a non-affected version of Cortex XSOAR;
• Deepwatch has had and maintains limited access to the Cortex XSOAR environment.
  

Supporting Details

Affected Cortex XSOAR Versions:

• Cortex XSOAR 6.2.0 Build < 1271065
• Cortex XSOAR 6.1.0 Build >= 1016923 and < 1271064

CVSS Details

• Severity: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• User Interaction: None
• Required Privileges: None
• Scope: Unchanged
• Confidentiality Impact: High
• Integrity Impact: High
• Availability Impact: High

Who is affected?

Only specific Cortex XSOAR versions and instances that are configured with active API key integrations are affected. To determine if your organization is affected, check the version and build number in context to the CVE, and view the  ‘Settings > Integration > API Keys’ details from the Cortex XSOAR web client for current and future API keys.

Workarounds & Mitigations

Palo Alto Networks has provided a list of workarounds and mitigations for organizations with affected Cortex XSOAR versions; these workarounds and mitigations include the following[1]:

• To fully mitigate the issue, revoke all active integration API keys.
  • To revoke integration API keys from the Cortex XSOAR web client:
    • Settings > Integration > API Keys and then Revoke each API key.
  • Note: You can create new API keys after you upgrade Cortex XSOAR to a fixed version.
• To reduce the impact of the issue, restrict network access to the Cortex XSOAR server to allow only trusted users.
• To monitor the issue, review logs via Splunk for updates to user invites and API key creation (where index=demisto is ingested server.log).
  • New user creation
    • index=demisto “*/home/circleci/.go_workspace/src/github.com/demisto/server/repoDB/complexRepo/invite.go*” | rex ” invite (for? )?(?<invite>\S+)” | table _time invite
  • New API key creation
    • index=demisto “*/builds/gopath/src/github.com/demisto/server/web/middleware.go*” (apikeys AND “*POST*”) | table _raw

Sources

1. https://security.paloaltonetworks.com/CVE-2021-3044 

Learn more about Deepwatch Vulnerability Management here.

↑