Operating System:

[LINUX]

Published:

21 November 2022

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2022.5775.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2022.5775.2
        CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE)
                   Vulnerability in Cortex XSOAR Engine
                             21 November 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cortex XSOAR
Publisher:         Palo Alto Networks
Operating System:  Linux variants
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-0031  

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2022-0031

Comment: CVSS (Max):  6.7 CVE-2022-0031 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Revision History:  November 21 2022: Clarified fix availability as build numbers for Cortex XSOAR have changed. Updated the CVSS source.
                   November 10 2022: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Palo Alto Networks Security Advisories / CVE-2022-0031

CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in
Cortex XSOAR Engine

047910
Severity 6.7 . MEDIUM
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH
NVD JSON     
Published 2022-11-09
Updated 2022-11-19
Reference CRTX-57476
Discovered externally

Description

A local privilege escalation (PE) vulnerability in the Palo Alto Networks
Cortex XSOAR engine software running on a Linux operating system allows a local
attacker with shell access to the engine to execute programs with elevated
privileges.

Product Status

   Versions                     Affected                        Unaffected
Cortex XSOAR   < 6.9.0.130766 on Linux, <= 6.9.0.3387847   >= 6.9.0.130766 on
6.9            on Linux                                    Linux
Cortex XSOAR   all
6.8
Cortex XSOAR   all
6.6
Cortex XSOAR   all
6.5

Required Configuration for Exposure

This issue is applicable only to Cortex XSOAR engine software running on a
Linux operating system that was installed through the shell method.

Please see the following link for more Cortex XSOAR engine installation
information:

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/
engines/install-deploy-and-configure-demisto-engines

Severity:MEDIUM

CVSSv3.1 Base Score:6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-345 Insufficient Verification of Data Authenticity

Solution

This issue is fixed in Cortex XSOAR engine software available in Cortex XSOAR
6.9.0 build 130766 and all later versions of Cortex XSOAR.

NOTE: The build numbers for Cortex XSOAR software releases have changed format.
Please consider the new format when evaluating version applicability. Cortex
XSOAR release documentation is available at the following link: https://
docs.paloaltonetworks.com/cortex/cortex-xsoar.

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

Palo Alto Networks thanks Olivier Caillault for discovering and reporting this
issue.

Timeline

2022-11-19 Clarified fix availability as build numbers for Cortex XSOAR have
changed
2022-11-09 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2022 Palo Alto Networks, Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY3sMk8kNZI30y1K9AQgTXg//YmYoMnK1IVOA8Hw13EoS6iU9AR63txOB
HLkbekI+5MsUIrbO7CPmHc9KhD9/Pb+m+UqxGAzUNM7fguFSBCGWpsNB8NBHDmyU
W31ajp7BFavuUZbE4mWn67/vyhqb5ufysHyAiIhKfiEF1xqiwFU2Bcrmw5sUdZsX
kdwsSce2QBDHfo+kyJ7b7ldUOF/pmEhEsEH0ORl7AKP/V3VnPgJb4xmiqvuWVSkF
q2aq5PHHbWCTnrFgda7Zyw2xEG2vLgwEIaNVsTs8nHzS7XA2ZRvL5RrAGV0E+FrK
mR7tEvp1G/HmHOrJnh1LuuZ8X/mkyO+O3aaoF291DrXUqwE2D+PZtLbJ+nWLsH/x
D+5koTAkJfy4b18CjrCAoW21j4iXR7vVTj+/u1G+WTKrecLMHCnS2O/NLXTLxwog
o+nJo2kUYQlbW+tmy/u7la4QL3+bKU5uMSPADqRm+0x1ZIketOWzbwzP+OjUU5VD
SBWvAV6Wju4h/QZB9kjqJA/zyGYFENHsPKV9VXhArGjfVveleTB9rFSWL5x9OfSf
4SCgi9Zy2hGlzMPBXUz0xkFfszYK9nvdNe35DUZSsFhgIpK/8BuZ5ehqpqC3dlw/
w3ZAL9QRQk6zZu85/hrCNqWxd/DMc0CyQLpgfIXxR388PMCwzYayDsCsFX1vV6gy
0uYBPhBSK/M=
=Zd3g
-----END PGP SIGNATURE-----