CVE-2024-5914
📋 TL;DR
CVE-2024-5914 is a critical command injection vulnerability in Palo Alto Networks Cortex XSOAR CommonScripts Pack that allows unauthenticated attackers to execute arbitrary commands within integration containers. This affects organizations using Cortex XSOAR with the vulnerable CommonScripts Pack. Attackers can potentially gain control over affected systems.
💻 Affected Systems
- Palo Alto Networks Cortex XSOAR
📦 What is this software?
Cortex Xsoar Commonscripts by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Cortex XSOAR environment, lateral movement to connected systems, data exfiltration, and deployment of ransomware or other malware across the network.
Likely Case
Initial access to the XSOAR environment, execution of commands within container context, potential privilege escalation to host system, and compromise of connected security tools and data.
If Mitigated
Limited impact due to network segmentation, container isolation, and proper access controls preventing lateral movement or critical system access.
🎯 Exploit Status
The vulnerability allows unauthenticated command injection, making exploitation straightforward for attackers with network access to vulnerable systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CommonScripts Pack version 1.14.2
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-5914
Restart Required: No
Instructions:
1. Log into Cortex XSOAR. 2. Navigate to Marketplace. 3. Update CommonScripts Pack to version 1.14.2 or later. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Cortex XSOAR instances to only trusted IP addresses and networks.
Disable Vulnerable Scripts
allIdentify and disable specific vulnerable scripts within the CommonScripts Pack if they are not required for operations.
🧯 If You Can't Patch
- Isolate Cortex XSOAR instances from the internet and restrict internal network access
- Implement strict network monitoring and alerting for suspicious commands or connections from XSOAR containers
🔍 How to Verify
Check if Vulnerable:
Check the installed version of CommonScripts Pack in Cortex XSOAR Marketplace. If version is earlier than 1.14.2, the system is vulnerable.Check Version:
No direct CLI command. Check via Cortex XSOAR web interface under Marketplace > Installed Packs > CommonScripts Pack.Verify Fix Applied:
Confirm CommonScripts Pack version is 1.14.2 or later in the Cortex XSOAR Marketplace interface.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in XSOAR container logs
- Suspicious process creation from XSOAR integration containers
- Authentication failures followed by command execution
Network Indicators:
- Unexpected outbound connections from XSOAR containers
- Traffic to suspicious IPs or domains from XSOAR systems
SIEM Query:
source="cortex-xsoar" AND (event_type="command_execution" OR process_name="sh" OR process_name="bash") AND user="unauthenticated"