Palo Alto Networks Security Advisories / CVE-2024-8690

CVE-2024-8690 Cortex XDR Agent: Local Windows Administrator Can Disable the Agent

047910
Severity 5.6 · MEDIUM
Urgency MODERATE
Response Effort MODERATE
Recovery USER
Value Density DIFFUSE
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements PRESENT
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity HIGH
Product Availability NONE
Privileges Required HIGH
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability LOW

Description

A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows administrator privileges to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity.

Product Status

VersionsAffectedUnaffected
Cortex XDR Agent 8.5NoneAll
Cortex XDR Agent 8.4NoneAll
Cortex XDR Agent 8.3-CENoneAll
Cortex XDR Agent 8.3NoneAll
Cortex XDR Agent 8.2NoneAll
Cortex XDR Agent 7.9.102-CEAllNone

Severity: MEDIUM

CVSSv4.0 Base Score: 5.6 (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:L/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-440: Expected Behavior Violation

Solution

This issue is fixed in Cortex XDR Agent 8.2, and all later Cortex XDR Agent versions.

Acknowledgments

Palo Alto Networks thanks Ayman Sagy of CyberCX for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.