CVE-2022-0014 in Cortex XDR Agent
Summary
by MITRE • 01/12/2022
An untrusted search path vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker with file creation privilege in the Windows root directory (such as C:\) to store a program that can then be unintentionally executed by another local user when that user utilizes a Live Terminal session. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/15/2022
The vulnerability identified as CVE-2022-0014 represents a critical untrusted search path weakness within the Palo Alto Networks Cortex XDR agent implementation on Windows systems. This flaw stems from improper handling of system paths during the execution of commands through the Live Terminal session feature, creating a pathway for privilege escalation and persistent execution. The vulnerability specifically affects multiple versions of the Cortex XDR agent across different release branches, indicating a widespread impact that spans from version 5.0.0 through 7.3.1, making it particularly concerning for organizations maintaining legacy deployments.
The technical exploitation of this vulnerability relies on the attacker's ability to create files in the Windows root directory, typically C:\, where the agent process executes commands without proper path validation. When a local user initiates a Live Terminal session, the agent searches through system paths including the root directory, potentially executing malicious binaries that have been placed there by an attacker. This behavior aligns with CWE-427 Uncontrolled Search Path Element, where applications fail to properly validate or sanitize the search paths used for command execution, leading to unintended program execution.
The operational impact of this vulnerability extends beyond simple privilege escalation as it enables attackers to establish persistent access within the compromised environment. The attack vector requires only file creation privileges in the root directory, which many local users may possess, making the exploit relatively accessible. Once executed, the malicious program can maintain persistence and potentially escalate privileges further, depending on the victim user's permissions. The vulnerability's presence in multiple agent versions suggests that organizations may have been exposed for extended periods, creating potential for long-term compromise of endpoints.
Organizations should immediately upgrade to the patched versions of the Cortex XDR agent as specified in the advisory, with agent versions 5.0.12, 6.1.9, 7.2.4, and 7.3.2 respectively. Additionally, implementing proper file system access controls and monitoring for unauthorized file creation in the root directory can serve as temporary mitigations. The ATT&CK framework categorizes this vulnerability under T1059 Command and Scripting Interpreter and T1547 Registry Run Keys, indicating the attack chain involves executing commands through legitimate system interfaces while establishing persistence mechanisms. Network segmentation and least privilege principles should be enforced to limit the potential lateral movement if exploitation occurs, as the vulnerability primarily affects local execution contexts rather than remote attack surfaces.