QID 375785

Date Published: 2021-08-31

QID 375785: Cortex XDR Agent Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables an authenticated local Windows user to execute programs with SYSTEM privileges.

This requires the user to have the privilege to create files in the Windows root directory or to manipulate key registry values.

Affected versions:
Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.11;
Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.8;
Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.3;
All versions of Cortex XDR agent 7.2 without content update release 171 or a later version.

QID Detection Logic (Authenticated) :
This checks for vulnerable version of CyveraConsole.exe file.

On successful exploitation if enables authenticated local Windows user to execute programs with SYSTEM privileges.

  • CVSS V3 rated as High - 7.8 severity.
  • CVSS V2 rated as High - 7.2 severity.
    • Solution
    Vendor has released updates to fix the issue. Please refer to vendor advisory CVE-2021-3041 for more information.
    Vendor References

    CVEs related to QID 375785

    CVE-2021-3041 |
    Software Advisories
    Advisory ID Software Component Link
    CVE-2021-3041 Windows URL Logo security.paloaltonetworks.com/CVE-2021-3041
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].