FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-5909

Improper Privilege Management (CWE-269)

Published: Jun 12, 2024 / Updated: 5mo ago

010
CVSS 6.8EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a low privileged local Windows user to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity. The vulnerability affects Cortex XDR agent versions 7.9 (versions prior to 7.9.102), 8.1 (versions prior to 8.1.2), and 8.2 (versions prior to 8.2.1).

Impact

If exploited, this vulnerability could allow malware or an attacker with low privileges on a Windows system to disable the Cortex XDR security agent. This would prevent the agent from detecting and reporting malicious activity, leaving the system unprotected and enabling further attacks or malware execution. The CVSS v3.1 base score is 5.5 (Medium), with high impact on availability but no direct impact on confidentiality or integrity. The attack vector is local, requires low privileges, and no user interaction.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

While not explicitly stated, the vulnerability data implies that patched versions are available. Users should update to Cortex XDR agent versions 7.9.102 or later for the 7.9 branch, 8.1.2 or later for the 8.1 branch, and 8.2.1 or later for the 8.2 branch.

Mitigation

1. Update all Windows systems running the Palo Alto Networks Cortex XDR agent to the latest patched version (7.9.102+, 8.1.2+, or 8.2.1+ depending on the branch). 2. Review and tighten security policies and permissions to prevent low privileged users from disabling or stopping the security agent processes. 3. Implement monitoring systems to detect any unauthorized modifications to the Cortex XDR agent. 4. Consider implementing additional security layers to compensate for potential Cortex XDR agent disabling.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber

Timeline

CVE Assignment

NVD published the first details for CVE-2024-5909

Jun 12, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-5909. See article

Jun 12, 2024 at 5:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jun 12, 2024 at 5:21 PM
Trending

This CVE started to trend in security discussions

Jun 12, 2024 at 9:20 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9%)

Jun 13, 2024 at 3:51 PM
Trending

This CVE stopped trending in security discussions

Jun 14, 2024 at 1:40 AM
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/cortex_xdr_agent
+null more

Patches

security.paloaltonetworks.com
+null more

Links to Mitre Att&cks

T1548: Abuse Elevation Control Mechanism
+null more

Attack Patterns

CAPEC-122: Privilege Abuse
+null more

References

CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent - Palo Alto Networks
"advisory site:paloaltonetworks.com" - Google News / 5mo
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a low privileged local Windows user to disable the agent. Palo Alto Networks is not aware of any malicious exploitation of this issue.
CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM)
Palo Alto Networks Security Advisories / 5mo

News

[no-title]
Palo Alto Networks Security Advisories / 3mo
GlobalProtect app on Windows and macOS < 6.1.3 on Windows and macOS, None on Android and iOS, < 6.1.3 on Linux
Multiple vulnerabilities in Palo Alto Networks Cortex XDR agent
Security feed from CyberSecurity Help / 4mo
No. This vulnerability can be exploited locally. A local user can disable the agent.
CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent - Palo Alto Networks
"advisory site:paloaltonetworks.com" - Google News / 5mo
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a low privileged local Windows user to disable the agent. Palo Alto Networks is not aware of any malicious exploitation of this issue.
[CERT-daily] Tageszusammenfassung - 13.06.2024
Daily June 2024 Archive / 5mo
https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-windows-search-protocol-to-push-malicious-scripts/ [..] In June 2022, security researchers devised a potent attack chain that also exploited a Microsoft Office flaw to launch searches directly from Word documents.
CVE-2024-5909
Newest CVEs from Tenable / 5mo
High Severity Description A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a low privileged local Windows user to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity. Read more at https://www.tenable.com/cve/CVE-2024-5909
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:None
Availability Impact:High

Categories

CVSS 5.5(34617)CWE-269(2761)Paloaltonetworks(287)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial