CVE-2022-0013 in Cortex XDR Agent
Summary
by MITRE • 01/12/2022
A file information exposure vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker to read the contents of arbitrary files on the system with elevated privileges when generating a support file. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/15/2022
The vulnerability described in CVE-2022-0013 represents a critical file information exposure flaw within the Palo Alto Networks Cortex XDR agent ecosystem. This security weakness specifically affects multiple versions of the agent across different major releases, creating a widespread impact across enterprise security environments that rely on Cortex XDR for endpoint protection. The vulnerability manifests during the support file generation process, which is a routine administrative function designed to collect diagnostic information for troubleshooting and analysis purposes. However, the flaw allows local attackers to exploit this legitimate functionality to gain unauthorized access to arbitrary system files, fundamentally undermining the integrity of the agent's security model.
The technical implementation of this vulnerability stems from inadequate input validation and privilege escalation mechanisms within the support file generation module. When the agent processes requests to create diagnostic bundles, it fails to properly sanitize file paths or validate access permissions, enabling an attacker with local system access to specify arbitrary file locations within the filesystem. This flaw directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. The vulnerability's exploitation requires only local system access, making it particularly dangerous as it can be leveraged by malicious insiders or attackers who have already compromised a system's initial access point. The attacker can potentially read sensitive files including configuration data, credential stores, or other privileged information that should remain protected from local users.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a persistent backdoor for attackers to gather intelligence about the compromised system and its network environment. The ability to read arbitrary files with elevated privileges means that an attacker could access system logs, configuration files containing sensitive information, or even other running processes' memory contents. This information gathering capability aligns with ATT&CK technique T1005, which covers data from local system information discovery, and T1083, which involves file and directory discovery. The vulnerability particularly affects organizations using older versions of the Cortex XDR agent, where the support functionality may be used for legitimate diagnostics but becomes weaponized by attackers. The widespread nature of affected versions suggests that many enterprises may be exposed to this risk, especially those that have not yet updated their agent deployments to the patched versions.
Organizations should immediately prioritize updating their Cortex XDR agent installations to the latest versions that address this vulnerability, specifically targeting agent versions 5.0.12, 6.1.9, 7.2.4, and 7.3.2 respectively. System administrators should implement additional monitoring around support file generation activities to detect anomalous behavior that might indicate exploitation attempts. The vulnerability's local nature means that traditional network-based detection methods may not identify the threat, requiring endpoint detection and response capabilities to monitor for unusual file access patterns. Security teams should also conduct thorough assessments of their agent deployments to identify all systems running vulnerable versions and implement temporary mitigations such as restricting local user access to the agent installation directories. This vulnerability highlights the importance of maintaining up-to-date security software and implementing comprehensive patch management processes, as the exploitation of such flaws can lead to significant data breaches and system compromise. The issue demonstrates how even legitimate administrative functions can become attack vectors when proper input validation and privilege controls are not implemented, making it essential for security professionals to continuously evaluate the security posture of their endpoint protection solutions.