- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-26-2022 07:35 AM - edited 01-26-2022 07:35 AM
Hi,
does anyone know if the vulnerability CVE-2021-4034 is covered by Cortex XDR Prevent or Pro?
Kind regards
FH
01-26-2022 08:34 AM
Dear fhu_omi
There is no content update specifically for CVE-2021-4034 yet but this does not mean that you'll be unprotected. Cortex XDR focuses TTP's and unknowns and You'll be protected by BTP module.
01-30-2022 11:30 PM
Dear @etugriceri
I will test it, then we will see if there existing modules will cover this pointer vulnerability. There is a test program out now: https://pythonrepo.com/repo/kimusan-pkwner
02-02-2022 09:23 AM
Hello @fhu_omi, did you get a chance to run some tests?
I ran a test on a test environment with XDR pro enabled and the exploit was allowed to execute without tripping anything on Cortex side initially. I did get a wildfire post detection a few hours later.
I'd like to hear others feedback for this one.
Thanks
02-03-2022 01:25 PM
what version and content release is your asset on?
02-07-2022 08:18 AM
Hi @fhu_omi
did some test on this and I'm sharing a couple of sample below. You can play with them better detection or prevention. For the prevention, You need to create BIOC rule and add to Linux restriction profile. I'm sharing for demonstration purposes, might be intrusive and might need find tuning on it before using production. But the point is, even if PANW not shared BIOC via content update, still you can write your own prevention rule.
For detection
preset = xdr_process
| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and actor_process_image_name = "pkexec" and agent_os_type = ENUM.AGENT_OS_LINUX
preset = xdr_process
| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and agent_os_type = ENUM.AGENT_OS_LINUX
for Prevention
Process [ action type = execution AND target process cmd = *GCONV* ] AND Host [ host os = linux ]
Process [ action type = execution AND target process cmd = sh*GCONV*sh , bash*GCONV*bash ] AND Host [ host os = linux ]
Process [ action type = execution AND target process name = sh , bash , zsh AND target process cmd = *GCONV* ] AND Host [ host os = linux ]
(three different sample)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!