Several Vulnerabilities Allow Disabling of Palo Alto Networks Products

Cybersecurity firm Palo Alto Networks has informed customers about several vulnerabilities that could allow a malicious actor to disable its products.

A security researcher who uses the online moniker “mr.d0x” informed the company that its Cortex XDR Agent can be bypassed by an attacker with elevated privileges.

The researcher discovered that the agent can be disabled by a local attacker with administrator privileges simply by modifying a registry key, leaving the endpoint exposed to attacks. The product’s anti-tampering feature is unable to prevent the use of this method.

Mr.d0x also discovered that there is a default “uninstall password” that — if it hasn’t been changed by the admin — can also be used to disable the XDR agent.

If the default password has been changed, the new password’s hash can be obtained from a file. The attacker can then attempt to crack the password. It may also be possible for an attacker who does not have administrator privileges to obtain this hash.

Mr.d0x said he discovered these vulnerabilities in the summer of 2021, but he only now published a blog post detailing the findings to give the vendor enough time to take action. However, Palo Alto Networks is still working on patches and protections for these issues.

“It’s important for security solutions to implement adequate tamper protection to avoid being targeted by attackers,” Mr.d0x said. “Furthermore, it shouldn’t be trivial to obtain credentials or privileges that can disable the security solution.”

The cybersecurity company has also informed customers about a denial-of-service (DoS) vulnerability affecting the DNS proxy feature in its PAN-OS software. A man-in-the-middle (MitM) attacker can use specially crafted traffic to disrupt affected firewalls. Patches are available for all supported versions of PAN-OS.

An MitM attacker can also launch a DoS attack against PAN-OS, the GlobalProtect app, and the Cortex XDR agent by exploiting a recently patched OpenSSL vulnerability tracked as CVE-2022-0778.

Several cybersecurity vendors have been assessing the impact of this flaw on their products.

Palo Alto Networks says it’s not aware of any attacks exploiting these vulnerabilities. All of the flaws have a severity rating of “medium,” “low” or “informational.”

UPDATE: Palo Alto Networks has updated its advisory for the issue that involves Windows registry modifications to explain that the tampering will also result in critical system services becoming unavailable, which leads to normal usage being disrupted. The Cortex XDR agent is disabled and these system services become unavailable after the device has been rebooted.

*article also updated to note that a patch is available for the PAN-OS DoS vulnerability. The severity ratings are based on CVSS scores and not the vendor’s assessment of exploitability.

Related: Remote Code Execution Flaw in Palo Alto GlobalProtect VPN

Related: Palo Alto Networks Patches Flaws in Prisma Cloud Compute, Cortex XDR Agent

Related: US Cyber Command: Foreign APTs Likely to Exploit New Palo Alto Networks Flaw

Related: Palo Alto Networks Patches Critical Vulnerability in Cortex XSOAR