Tamper-Protection Bypass × Palo Alto Networks Cortex XDR Agent

A publicly-reported instance of Tamper-Protection Bypass bypassing Palo Alto Networks Cortex XDR Agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR Agent

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

unknown

Disclosed

2024-07-10

Config / version noted

Not stated

Provenance

security.paloaltonetworks.com
disclosed 2024-07-10 · original source · via exa
feedly.com
disclosed 2024-10-28 · original source · via exa

Reported as

CVE-2024-5912: Cortex XDR Agent Improper File Signature Verification Allows Executable Blocking Bypass

Mechanism

The Cortex XDR agent fails to properly verify cryptographic signatures on files, allowing an attacker to run untrusted executables that should be blocked by the agent's executable blocking feature. This bypasses the detection/blocking mechanism.

Detection & mitigation

Monitor Cortex XDR agent logs for unexpected process creation events that should have been blocked by policy, and correlate with signature verification failures. Ensure agents are updated to versions 7.9.102-CE, 8.1.3, 8.2.2 or later to remediate the vulnerability.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.