CVE-2021-3044
📋 TL;DR
CVE-2021-3044 is an improper authorization vulnerability in Palo Alto Networks Cortex XSOAR that allows remote unauthenticated attackers with network access to perform unauthorized actions through the REST API. This affects Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064, and Cortex XSOAR 6.2.0 builds earlier than 1271065. Organizations running affected on-premises instances are vulnerable.
💻 Affected Systems
- Palo Alto Networks Cortex XSOAR
📦 What is this software?
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Cortex XSOAR instance allowing attackers to execute arbitrary commands, access sensitive data, manipulate security operations, and pivot to other systems.
Likely Case
Unauthorized access to security orchestration functions, data exfiltration, and disruption of security automation workflows.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the REST API.
🎯 Exploit Status
Unauthenticated REST API access with CVSS 9.8 suggests low complexity exploitation likely exists in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cortex XSOAR 6.1.0 build 1271064 or later; Cortex XSOAR 6.2.0 build 1271065 or later
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2021-3044
Restart Required: Yes
Instructions:
1. Backup your Cortex XSOAR configuration. 2. Download the appropriate patch from Palo Alto Networks support portal. 3. Apply the patch following vendor instructions. 4. Restart the Cortex XSOAR service. 5. Verify the fix by checking the build version.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Cortex XSOAR REST API endpoints to only trusted IP addresses.
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
API Authentication Enforcement
allEnsure all REST API endpoints require authentication even if the vulnerability allows bypass.
🧯 If You Can't Patch
- Immediately isolate the Cortex XSOAR instance from untrusted networks using firewall rules.
- Implement strict network segmentation and monitor all access to the Cortex XSOAR REST API endpoints.
🔍 How to Verify
Check if Vulnerable:
Check Cortex XSOAR version via web interface or CLI. For 6.1.0, verify build number is between 1016923 and 1271064. For 6.2.0, verify build number is below 1271065.Check Version:
Check via Cortex XSOAR web interface under Settings → About, or use CLI command specific to your deployment.Verify Fix Applied:
Confirm build number is 1271064 or higher for 6.1.0, or 1271065 or higher for 6.2.0. Test REST API access without authentication should be denied.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated REST API requests
- Unusual API activity from unexpected IP addresses
- Failed authentication attempts followed by successful unauthorized actions
Network Indicators:
- Unusual traffic patterns to Cortex XSOAR REST API endpoints
- API requests without authentication headers
SIEM Query:
source="cortex-xsoar" AND (http_method="POST" OR http_method="PUT" OR http_method="DELETE") AND NOT authentication="successful"