Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Allow Disabling of Palo Alto Networks Products

Cybersecurity firm Palo Alto Networks has informed customers about several vulnerabilities that could allow a malicious actor to disable its products.

Cybersecurity firm Palo Alto Networks has informed customers about several vulnerabilities that could allow a malicious actor to disable its products.

A security researcher who uses the online moniker “mr.d0x” informed the company that its Cortex XDR Agent can be bypassed by an attacker with elevated privileges.

The researcher discovered that the agent can be disabled by a local attacker with administrator privileges simply by modifying a registry key, leaving the endpoint exposed to attacks. The product’s anti-tampering feature is unable to prevent the use of this method.

Mr.d0x also discovered that there is a default “uninstall password” that — if it hasn’t been changed by the admin — can also be used to disable the XDR agent.

If the default password has been changed, the new password’s hash can be obtained from a file. The attacker can then attempt to crack the password. It may also be possible for an attacker who does not have administrator privileges to obtain this hash.

Mr.d0x said he discovered these vulnerabilities in the summer of 2021, but he only now published a blog post detailing the findings to give the vendor enough time to take action. However, Palo Alto Networks is still working on patches and protections for these issues.

“It’s important for security solutions to implement adequate tamper protection to avoid being targeted by attackers,” Mr.d0x said. “Furthermore, it shouldn’t be trivial to obtain credentials or privileges that can disable the security solution.”

The cybersecurity company has also informed customers about a denial-of-service (DoS) vulnerability affecting the DNS proxy feature in its PAN-OS software. A man-in-the-middle (MitM) attacker can use specially crafted traffic to disrupt affected firewalls. Patches are available for all supported versions of PAN-OS.

Advertisement. Scroll to continue reading.

An MitM attacker can also launch a DoS attack against PAN-OS, the GlobalProtect app, and the Cortex XDR agent by exploiting a recently patched OpenSSL vulnerability tracked as CVE-2022-0778.

Several cybersecurity vendors have been assessing the impact of this flaw on their products.

Palo Alto Networks says it’s not aware of any attacks exploiting these vulnerabilities. All of the flaws have a severity rating of “medium,” “low” or “informational.”

UPDATE: Palo Alto Networks has updated its advisory for the issue that involves Windows registry modifications to explain that the tampering will also result in critical system services becoming unavailable, which leads to normal usage being disrupted. The Cortex XDR agent is disabled and these system services become unavailable after the device has been rebooted.

*article also updated to note that a patch is available for the PAN-OS DoS vulnerability. The severity ratings are based on CVSS scores and not the vendor’s assessment of exploitability.

Related: Remote Code Execution Flaw in Palo Alto GlobalProtect VPN

Related: Palo Alto Networks Patches Flaws in Prisma Cloud Compute, Cortex XDR Agent

Related: US Cyber Command: Foreign APTs Likely to Exploit New Palo Alto Networks Flaw

Related: Palo Alto Networks Patches Critical Vulnerability in Cortex XSOAR

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.