{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2021-029.pdf" }, "title": "Critical Vulnerability in PaloAlto Cortex", "serial_number": "2021-029", "publish_date": "24-06-2021 08:38:00", "description": "On the 22nd of June 2021, PaloAlto released Security Advisory to address a vulnerability in Palo Alto Networks Cortex XSOAR. Severity is critical with a CVSSv3.1 Base Score: 9.8.", "url_title": "2021-029", "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0PaloAlto\u00a0Cortex'\nversion: '1.0'\nnumber: '2021-029'\ndate: 'June 24, 2021'\n---\n\n_History:_\n\n* _24/06/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 22nd of June 2021, PaloAlto released Security Advisory to address a vulnerability in Palo Alto Networks Cortex XSOAR. Severity is **critical** with a CVSSv3.1 Base Score: 9.8 [1].\n\n# Technical Details\n\nAn improper authorisation vulnerability in some versions of Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorised actions through the REST API [1].\n\nThe vulnerability received CVE-2021-3044 [2]\n\n# Products Affected\n\n- Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;\n- Cortex XSOAR 6.2.0 builds earlier than 1271065.\n\n# Recommendations\n\nThis issue is fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later Cortex XSOAR versions.\n\nCERT-EU recommends updating the vulnerable application as soon as possible.\n\n## Workarounds and Mitigations\n\nTo fully mitigate the impact of this issue, all active integration API keys must be revoked.\n\nTo revoke integration API keys from the Cortex XSOAR web client go to _Settings_ > _Integration_ > _API Keys_ and then _Revoke_ each API key.\n\nYou can create new API keys after you upgrade Cortex XSOAR to a fixed version.\n\nRestricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue. Please refer to [1] for more details.\n\n# References\n\n[1] \n\n[2] \n", "content_html": "

History:

Summary

On the 22nd of June 2021, PaloAlto released Security Advisory to address a vulnerability in Palo Alto Networks Cortex XSOAR. Severity is critical with a CVSSv3.1 Base Score: 9.8 [1].

Technical Details

An improper authorisation vulnerability in some versions of Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorised actions through the REST API [1].

The vulnerability received CVE-2021-3044 [2]

Products Affected

Recommendations

This issue is fixed in Cortex XSOAR 6.1.0 build 1271064, Cortex XSOAR 6.2.0 build 1271065, and all later Cortex XSOAR versions.

CERT-EU recommends updating the vulnerable application as soon as possible.

Workarounds and Mitigations

To fully mitigate the impact of this issue, all active integration API keys must be revoked.

To revoke integration API keys from the Cortex XSOAR web client go to Settings > Integration > API Keys and then Revoke each API key.

You can create new API keys after you upgrade Cortex XSOAR to a fixed version.

Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue. Please refer to [1] for more details.

References

[1] https://security.paloaltonetworks.com/CVE-2021-3044

[2] https://nvd.nist.gov/vuln/detail/CVE-2021-3044

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }