Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Allow Disabling of Palo Alto Networks Products

Cybersecurity firm Palo Alto Networks has informed customers about several vulnerabilities that could allow a malicious actor to disable its products.

Cybersecurity firm Palo Alto Networks has informed customers about several vulnerabilities that could allow a malicious actor to disable its products.

A security researcher who uses the online moniker “mr.d0x” informed the company that its Cortex XDR Agent can be bypassed by an attacker with elevated privileges.

The researcher discovered that the agent can be disabled by a local attacker with administrator privileges simply by modifying a registry key, leaving the endpoint exposed to attacks. The product’s anti-tampering feature is unable to prevent the use of this method.

Mr.d0x also discovered that there is a default “uninstall password” that — if it hasn’t been changed by the admin — can also be used to disable the XDR agent.

If the default password has been changed, the new password’s hash can be obtained from a file. The attacker can then attempt to crack the password. It may also be possible for an attacker who does not have administrator privileges to obtain this hash.

Mr.d0x said he discovered these vulnerabilities in the summer of 2021, but he only now published a blog post detailing the findings to give the vendor enough time to take action. However, Palo Alto Networks is still working on patches and protections for these issues.

“It’s important for security solutions to implement adequate tamper protection to avoid being targeted by attackers,” Mr.d0x said. “Furthermore, it shouldn’t be trivial to obtain credentials or privileges that can disable the security solution.”

The cybersecurity company has also informed customers about a denial-of-service (DoS) vulnerability affecting the DNS proxy feature in its PAN-OS software. A man-in-the-middle (MitM) attacker can use specially crafted traffic to disrupt affected firewalls. Patches are available for all supported versions of PAN-OS.

Advertisement. Scroll to continue reading.

An MitM attacker can also launch a DoS attack against PAN-OS, the GlobalProtect app, and the Cortex XDR agent by exploiting a recently patched OpenSSL vulnerability tracked as CVE-2022-0778.

Several cybersecurity vendors have been assessing the impact of this flaw on their products.

Palo Alto Networks says it’s not aware of any attacks exploiting these vulnerabilities. All of the flaws have a severity rating of “medium,” “low” or “informational.”

UPDATE: Palo Alto Networks has updated its advisory for the issue that involves Windows registry modifications to explain that the tampering will also result in critical system services becoming unavailable, which leads to normal usage being disrupted. The Cortex XDR agent is disabled and these system services become unavailable after the device has been rebooted.

*article also updated to note that a patch is available for the PAN-OS DoS vulnerability. The severity ratings are based on CVSS scores and not the vendor’s assessment of exploitability.

Related: Remote Code Execution Flaw in Palo Alto GlobalProtect VPN

Related: Palo Alto Networks Patches Flaws in Prisma Cloud Compute, Cortex XDR Agent

Related: US Cyber Command: Foreign APTs Likely to Exploit New Palo Alto Networks Flaw

Related: Palo Alto Networks Patches Critical Vulnerability in Cortex XSOAR

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.