CVE-2021-3051
📋 TL;DR
CVE-2021-3051 is an improper cryptographic signature verification vulnerability in Cortex XSOAR's SAML authentication that allows unauthenticated attackers with specific knowledge of the target instance to bypass authentication and access protected resources. This affects self-hosted Cortex XSOAR versions 5.5.0, 6.0.2, 6.1.0, and 6.2.0 before specific build numbers. Palo Alto Networks-hosted instances are not affected.
💻 Affected Systems
- Cortex XSOAR
📦 What is this software?
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
Cortex Xsoar by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Cortex XSOAR instance allowing unauthorized access to all protected resources, data exfiltration, and execution of arbitrary actions as authenticated users.
Likely Case
Unauthorized access to sensitive security operations data, manipulation of automation playbooks, and potential lateral movement within the security infrastructure.
If Mitigated
Limited impact with proper network segmentation and monitoring, though authentication bypass still presents significant risk.
🎯 Exploit Status
Requires specific knowledge of the target Cortex XSOAR instance. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cortex XSOAR 5.5.0 build 1578677 or later; 6.0.2 build 1576452 or later; 6.1.0 build 1578663 or later; 6.2.0 build 1578666 or later
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2021-3051
Restart Required: Yes
Instructions:
1. Backup your Cortex XSOAR configuration. 2. Download the appropriate patched build from Palo Alto Networks support portal. 3. Install the update following official upgrade procedures. 4. Restart the Cortex XSOAR service.
🔧 Temporary Workarounds
Disable SAML Authentication
allTemporarily disable SAML authentication and use alternative authentication methods until patching can be completed.
Navigate to Settings > Users and Roles > Authentication and disable SAML
Network Access Restrictions
allRestrict network access to Cortex XSOAR instances to trusted IP addresses only.
Configure firewall rules to allow only specific source IPs to access Cortex XSOAR ports
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Cortex XSOAR from untrusted networks
- Enable detailed authentication logging and monitor for suspicious SAML authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Cortex XSOAR version in the web interface under Settings > About, or run 'demisto --version' on the server and compare build numbers against affected ranges.Check Version:
demisto --versionVerify Fix Applied:
Verify the build number meets or exceeds the patched versions: 5.5.0 ≥ 1578677, 6.0.2 ≥ 1576452, 6.1.0 ≥ 1578663, 6.2.0 ≥ 1578666📡 Detection & Monitoring
Log Indicators:
- Unusual SAML authentication attempts from unexpected sources
- Authentication bypass events in Cortex XSOAR logs
- Failed authentication followed by successful access
Network Indicators:
- SAML authentication requests to Cortex XSOAR from untrusted sources
- Unusual traffic patterns to authentication endpoints
SIEM Query:
source="cortex-xsoar" AND (event_type="authentication" AND result="success" AND auth_method="SAML") | stats count by src_ip, user