CVE-2021-3042 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2021-3042?

CVE-2021-3042 has a CVSS score of 7.8 (HIGH). This CVE describes a local privilege escalation vulnerability in Palo Alto Networks Cortex XDR agent on Windows. An authenticated local user with file creation privileges in the Windows root directory can execute programs with SYSTEM privileges. This affects Cortex XDR agent versions 6.1, 7.2, and 7.3 without content update 181 or later.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Palo Alto Networks Cortex XDR agent on Windows. An authenticated local user with file creation privileges in the Windows root directory can execute programs with SYSTEM privileges. This affects Cortex XDR agent versions 6.1, 7.2, and 7.3 without content update 181 or later.

💻 Affected Systems

Products:

Palo Alto Networks Cortex XDR Agent

Versions: All versions of Cortex XDR agent 6.1, 7.2, and 7.3 without content update 181 or later

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Cortex XDR agent 5.0 versions are not impacted. Content updates are required to resolve this issue and are automatically applied for the agent.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access and file creation privileges in C:\ could gain full SYSTEM privileges, allowing complete compromise of the Windows system, installation of persistent malware, and bypass of all security controls.

🟠

Likely Case

A malicious insider or compromised user account with appropriate file permissions could elevate privileges to SYSTEM, enabling lateral movement, credential theft, and data exfiltration.

🟢

If Mitigated

With proper file permissions restricting write access to C:\ and least privilege user accounts, exploitation becomes difficult or impossible.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated local access, not remotely exploitable.

🏢 Internal Only: HIGH - This poses significant risk in environments where users have file creation privileges in root directories, which is common in some enterprise configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated local Windows user with file creation privilege in Windows root directory (e.g., C:\)

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Content update 181 or later

Vendor Advisory: https://security.paloaltonetworks.com/CVE-2021-3042

Restart Required: No

Instructions:

1. Ensure Cortex XDR agent is updated to receive content updates automatically. 2. Verify content update 181 or later is applied. 3. No agent restart required as content updates are applied automatically.

🔧 Temporary Workarounds

Restrict file creation in Windows root directory

windows

Remove file creation privileges for standard users in C:\ directory to prevent exploitation

Use Windows Security Policy or Group Policy to restrict write permissions to C:\ for non-administrative users

🧯 If You Can't Patch

Implement strict file permissions on Windows root directories to prevent unauthorized file creation
Apply principle of least privilege to user accounts and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Cortex XDR agent version and content update version. If agent is 6.1, 7.2, or 7.3 and content update is earlier than 181, system is vulnerable.

Check Version:

Check agent version via Cortex XDR agent interface or management console

Verify Fix Applied:

Verify content update version is 181 or later in Cortex XDR agent interface or management console

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events
File creation in Windows root directory by non-admin users
Suspicious process execution with SYSTEM privileges

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

Search for Windows Event ID 4688 (process creation) with elevated privileges from non-admin users, or file creation events in C:\ directory

📊 Metadata

CVE ID: CVE-2021-3042

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: July 15, 2021

Last Updated: November 21, 2024

🔗 References

https://security.paloaltonetworks.com/CVE-2021-3042 Vendor Advisory
https://security.paloaltonetworks.com/CVE-2021-3042 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3042, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cortex Xdr Agent by Paloaltonetworks

Cortex Xdr Agent by Paloaltonetworks

Cortex Xdr Agent by Paloaltonetworks

Cortex Xdr Agent by Paloaltonetworks

Cortex Xdr Agent by Paloaltonetworks

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict file creation in Windows root directory

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities