Friday, October 15, 2021

Critical bug found in Cortex XSOAR Allows Remote ‘War Room’ Access

Must Read

Brave browser disables Google’s FLoC ad-tracking technology

Brave, a Chromium-based browser, has removed FLoC, Google's controversial alternative identifier to third-party cookies for tracking users across websites.Brave...

Nine cyber Offenders arrested in a police raid

Throughout the constant action being taken by the authorities to preventing cybercrime, the authorities obtained a major success last...

Cashalo users Data of 3.3 million sold on the dark web: NPC

Sensitive information of Cashalo users has been sold on the dark web, NPC said on Tuesday.The National Privacy Commission...

A critical vulnerability in Palo Alto Networks, Cortex XSOAR system could have allowed an attacker to perform a command and control in the Cortex XSOAR War Room as well as perform other actions on the platform, without having to log in.

Found internally by Palo Alto, bug (CVE-2021-3044) may cause an incorrect license, which allows a remote, authenticated attacker with access to the network in the Cortex XSOAR server to perform malicious actions through the REST API, ” according to the security vendor’s on Tuesday. It scored 9.8 out of 10 on the CVSS vulnerability scale. 

Cortex XSOAR is a cybersecurity platform and is used in a wide variety of applications, such as automation in security operations, threat intelligence, it management, automatic tool to fix, automated ransomware remediation, and cloud security orchestration, according to the Palo Alto site. SOAR stands for “security orchestration, automation and response,” and, in the case of Palo Alto, the term is used to define a common approach to address the centralization of threat intelligence and security warnings on the resources. The Cortex platform and will also deploy automated workflows, and scripts, as well as real-time collaboration for teams. 

If the remote attackers can perform tasks and automate the System, and they could interfere with ongoing investigations, they can steal information about the victims and their cyber defense action plan, and much more. According to the online documentation, real-time studies are facilitated which allows analysts (and in the systems that are exposed to an attacker) to do the following:

  • Run real-time security actions through the command-line interface, without switching consoles.
  • Run security playbooks, scripts, and commands.
  • Collaborate and execute remote actions across integrated products.
  • Capture incident context from different sources.
  • Document all actions in one source.
  • Converse with others for joint investigations.

“When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc.,” the documentation reads.

A mitigating factor however is the fact that an adversary, as mentioned, would need to have access to the same network that the Cortex XSOAR is attached to, requiring an earlier compromise or exploit.

Affected Versions

Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;

Cortex XSOAR 6.2.0 builds earlier than 1271065.

This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions.

All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.


You must revoke all active integration API keys to fully mitigate the impact of this issue.

To revoke integration API keys from the Cortex XSOAR web client:

Settings > Integration > API Keys and then Revoke each API key.

You can create new API keys after you upgrade Cortex XSOAR to a fixed version.

Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This