Is CVE-2021-4034 covered by Cortex XDR?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is CVE-2021-4034 covered by Cortex XDR?

L1 Bithead

Hi,

 

does anyone know if the vulnerability CVE-2021-4034 is covered by Cortex XDR Prevent or Pro?

Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation...

 

Kind regards

FH

5 REPLIES 5

L3 Networker

Dear fhu_omi

 

There is no content update specifically for CVE-2021-4034 yet but this does not mean that you'll be unprotected. Cortex XDR focuses TTP's and unknowns and You'll be protected by BTP module. 

Dear @etugriceri 

I will test it, then we will see if there existing modules will cover this pointer vulnerability. There is a test program out now: https://pythonrepo.com/repo/kimusan-pkwner

Hello @fhu_omi, did you get a chance to run some tests?

I ran a test on a test environment with XDR pro enabled and the exploit was allowed to execute without tripping anything on Cortex side initially. I did get a wildfire post detection a few hours later.

 

I'd like to hear others feedback for this one.

 

Thanks

L3 Networker

what version and content release is your asset on?

L3 Networker

Hi @fhu_omi 

 

did some test on this and I'm sharing a couple of sample below. You can play with them better detection or prevention. For the prevention, You need to create BIOC rule and add to Linux restriction profile. I'm sharing for demonstration purposes, might be intrusive and might need find tuning on it before using production. But the point is, even if PANW not shared BIOC via content update, still you can write your own prevention rule. 

 

For detection
preset = xdr_process
| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and actor_process_image_name = "pkexec" and agent_os_type = ENUM.AGENT_OS_LINUX


preset = xdr_process
| filter action_process_image_command_line contains "GCONV" and action_process_image_name in ("sh","bash","zsh") and agent_os_type = ENUM.AGENT_OS_LINUX

 

for Prevention
Process [ action type = execution AND target process cmd = *GCONV* ] AND Host [ host os = linux ]

Process [ action type = execution AND target process cmd = sh*GCONV*sh , bash*GCONV*bash ] AND Host [ host os = linux ]

Process [ action type = execution AND target process name = sh , bash , zsh AND target process cmd = *GCONV* ] AND Host [ host os = linux ]

 

(three different sample)

 

etugriceri_0-1644250489517.png

 

  • 3426 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!