https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/461179#M1493 <P>Dear fhu_omi</P><P>&nbsp;</P><P>There is no content update specifically for&nbsp;<SPAN>CVE-2021-4034 yet but this does not mean that you'll be unprotected. Cortex XDR focuses TTP's and unknowns&nbsp;and You'll be protected by BTP module.&nbsp;</SPAN></P> Wed, 26 Jan 2022 16:34:11 GMT etugriceri 2022-01-26T16:34:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/461165#M1492 <P>Hi,</P><P>&nbsp;</P><P>does anyone know if the vulnerability CVE-2021-4034 is covered by Cortex XDR Prevent or Pro?</P><P>Source: <STRONG><A href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" target="_blank" rel="noopener">https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034</A></STRONG></P><P>&nbsp;</P><P>Kind regards</P><P>FH</P> Wed, 26 Jan 2022 15:35:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/461165#M1492 fhu_omi 2022-01-26T15:35:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/461179#M1493 <P>Dear fhu_omi</P><P>&nbsp;</P><P>There is no content update specifically for&nbsp;<SPAN>CVE-2021-4034 yet but this does not mean that you'll be unprotected. Cortex XDR focuses TTP's and unknowns&nbsp;and You'll be protected by BTP module.&nbsp;</SPAN></P> Wed, 26 Jan 2022 16:34:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/461179#M1493 etugriceri 2022-01-26T16:34:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/462045#M1512 <P>Dear <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179256">@etugriceri</a>&nbsp;</P><P>I will test it, then we will see if there existing modules will cover this pointer vulnerability. There is a test program out now: <A href="https://pythonrepo.com/repo/kimusan-pkwner" target="_blank">https://pythonrepo.com/repo/kimusan-pkwner</A></P> Mon, 31 Jan 2022 07:30:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/462045#M1512 fhu_omi 2022-01-31T07:30:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/462861#M1520 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/173884">@fhu_omi</a>, did you get a chance to run some tests?</P><P>I ran a test on a test environment with XDR pro enabled and the exploit was allowed to execute without tripping anything on Cortex side initially. I did get a wildfire post detection a few hours later.</P><P>&nbsp;</P><P>I'd like to hear others feedback for this one.</P><P>&nbsp;</P><P>Thanks</P> Wed, 02 Feb 2022 17:23:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/462861#M1520 Luc_Desaulniers 2022-02-02T17:23:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/463238#M1531 <P>what version and content release is your asset on?</P> Thu, 03 Feb 2022 21:25:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/463238#M1531 P.Jacob 2022-02-03T21:25:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/463888#M1538 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/173884">@fhu_omi</a>&nbsp;</P><P>&nbsp;</P><P>did some test on this and I'm sharing a couple of sample below. You can play with them better detection or prevention. For the prevention, You need to create BIOC rule and add to Linux restriction profile. I'm sharing for demonstration purposes, might be intrusive and might need find tuning on it before using production. But the point is, even if PANW not shared BIOC via content update, still you can write your own prevention rule.&nbsp;</P><P>&nbsp;</P><P><STRONG>For detection</STRONG><BR />preset = xdr_process<BR />| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and actor_process_image_name = "pkexec" and agent_os_type = ENUM.AGENT_OS_LINUX</P><P><BR />preset = xdr_process<BR />| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and agent_os_type = ENUM.AGENT_OS_LINUX</P><P>&nbsp;</P><P><STRONG>for Prevention</STRONG><BR />Process [ action type = execution AND target process cmd = *GCONV* ] AND Host [ host os = linux ]</P><P>Process [ action type = execution AND target process cmd = sh*GCONV*sh , bash*GCONV*bash ] AND Host [ host os = linux ]</P><P>Process [ action type = execution AND target process name = sh , bash , zsh AND target process cmd = *GCONV* ] AND Host [ host os = linux ]</P><P>&nbsp;</P><P><EM>(three different sample)</EM></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="etugriceri_0-1644250489517.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39002i679D507FCF62A3D0/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="etugriceri_0-1644250489517.png" alt="etugriceri_0-1644250489517.png" /></span></P><P>&nbsp;</P> Mon, 07 Feb 2022 16:18:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-cve-2021-4034-covered-by-cortex-xdr/m-p/463888#M1538 etugriceri 2022-02-07T16:18:46Z