Friday, July 23, 2021

Critical bug found in Cortex XSOAR Allows Remote ‘War Room’ Access

Must Read

DOD’s weapons programs do not have clear cybersecurity guidelines: GAO

The U.S. Defense Department struggles to outline cybersecurity requirements in contracts for weapon systems, though the agency made important...

Turkey launches a 3-year Cybersecurity Strategy and action plan

The Notice about the national cybersecurity plan and action plan was published on Tuesday together with the Signature of...

Google launches Cloud Armor Adaptive Protection Technologies to prevent DDoS attacks

Google LLC said now it is progressing smart automation inside its cloud network security controls within its continuing mission...

A critical vulnerability in Palo Alto Networks, Cortex XSOAR system could have allowed an attacker to perform a command and control in the Cortex XSOAR War Room as well as perform other actions on the platform, without having to log in.

Found internally by Palo Alto, bug (CVE-2021-3044) may cause an incorrect license, which allows a remote, authenticated attacker with access to the network in the Cortex XSOAR server to perform malicious actions through the REST API, ” according to the security vendor’s on Tuesday. It scored 9.8 out of 10 on the CVSS vulnerability scale. 

Cortex XSOAR is a cybersecurity platform and is used in a wide variety of applications, such as automation in security operations, threat intelligence, it management, automatic tool to fix, automated ransomware remediation, and cloud security orchestration, according to the Palo Alto site. SOAR stands for “security orchestration, automation and response,” and, in the case of Palo Alto, the term is used to define a common approach to address the centralization of threat intelligence and security warnings on the resources. The Cortex platform and will also deploy automated workflows, and scripts, as well as real-time collaboration for teams. 

If the remote attackers can perform tasks and automate the System, and they could interfere with ongoing investigations, they can steal information about the victims and their cyber defense action plan, and much more. According to the online documentation, real-time studies are facilitated which allows analysts (and in the systems that are exposed to an attacker) to do the following:

  • Run real-time security actions through the command-line interface, without switching consoles.
  • Run security playbooks, scripts, and commands.
  • Collaborate and execute remote actions across integrated products.
  • Capture incident context from different sources.
  • Document all actions in one source.
  • Converse with others for joint investigations.

“When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc.,” the documentation reads.

A mitigating factor however is the fact that an adversary, as mentioned, would need to have access to the same network that the Cortex XSOAR is attached to, requiring an earlier compromise or exploit.

Affected Versions

Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064;

Cortex XSOAR 6.2.0 builds earlier than 1271065.

This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions.

All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances.


You must revoke all active integration API keys to fully mitigate the impact of this issue.

To revoke integration API keys from the Cortex XSOAR web client:

Settings > Integration > API Keys and then Revoke each API key.

You can create new API keys after you upgrade Cortex XSOAR to a fixed version.

Restricting network access to the Cortex XSOAR server to allow only trusted users also reduces the impact of this issue.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This