This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Is CVE-2021-4034 covered by Cortex XDR?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is CVE-2021-4034 covered by Cortex XDR?

fhu_omi
L1 Bithead

‎01-26-2022 07:35 AM - edited ‎01-26-2022 07:35 AM

Hi,

 

does anyone know if the vulnerability CVE-2021-4034 is covered by Cortex XDR Prevent or Pro?

Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation...

 

Kind regards

FH

2 people had this problem.
5 REPLIES 5

etugriceri
L3 Networker

‎01-26-2022 08:34 AM

Dear fhu_omi

 

There is no content update specifically for CVE-2021-4034 yet but this does not mean that you'll be unprotected. Cortex XDR focuses TTP's and unknowns and You'll be protected by BTP module. 

0 Likes Likes

fhu_omi
L1 Bithead
In response to etugriceri

‎01-30-2022 11:30 PM

Dear @etugriceri 

I will test it, then we will see if there existing modules will cover this pointer vulnerability. There is a test program out now: https://pythonrepo.com/repo/kimusan-pkwner

Luc_Desaulniers
L2 Linker
In response to fhu_omi

‎02-02-2022 09:23 AM

Hello @fhu_omi, did you get a chance to run some tests?

I ran a test on a test environment with XDR pro enabled and the exploit was allowed to execute without tripping anything on Cortex side initially. I did get a wildfire post detection a few hours later.

 

I'd like to hear others feedback for this one.

 

Thanks

0 Likes Likes

P.Jacob
L3 Networker

‎02-03-2022 01:25 PM

what version and content release is your asset on?

0 Likes Likes

etugriceri
L3 Networker

‎02-07-2022 08:18 AM

Hi @fhu_omi 

 

did some test on this and I'm sharing a couple of sample below. You can play with them better detection or prevention. For the prevention, You need to create BIOC rule and add to Linux restriction profile. I'm sharing for demonstration purposes, might be intrusive and might need find tuning on it before using production. But the point is, even if PANW not shared BIOC via content update, still you can write your own prevention rule. 

 

For detection
preset = xdr_process
| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and actor_process_image_name = "pkexec" and agent_os_type = ENUM.AGENT_OS_LINUX


preset = xdr_process
| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and agent_os_type = ENUM.AGENT_OS_LINUX

 

for Prevention
Process [ action type = execution AND target process cmd = *GCONV* ] AND Host [ host os = linux ]

Process [ action type = execution AND target process cmd = sh*GCONV*sh , bash*GCONV*bash ] AND Host [ host os = linux ]

Process [ action type = execution AND target process name = sh , bash , zsh AND target process cmd = *GCONV* ] AND Host [ host os = linux ]

 

(three different sample)

 

etugriceri_0-1644250489517.png

 

  • 4398 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks