CVE-2021-3041: 
Cortex XDR vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2021-3041) was discovered in the Palo Alto Networks Cortex XDR agent on Windows platforms. The vulnerability was found during an internal security review by Robert McCallum of Palo Alto Networks and was disclosed on June 9, 2021. The vulnerability affects multiple versions of Cortex XDR agent including versions 5.0 (earlier than 5.0.11), 6.1 (earlier than 6.1.8), 7.2 (earlier than 7.2.3), and all versions of 7.2 without content update release 171 or later (Palo Advisory).

The vulnerability allows an authenticated local Windows user to execute programs with SYSTEM privileges. The exploitation requires the user to have privileges to create files in the Windows root directory or to manipulate key registry values. The vulnerability has been classified with a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness type is identified as CWE-427 Uncontrolled Search Path Element (Palo Advisory).

If exploited, this vulnerability allows attackers with local Windows user access to elevate their privileges to SYSTEM level, potentially gaining complete control over the affected system. This could lead to unauthorized access to sensitive data, system modifications, and full system compromise (Palo Advisory).

The vulnerability has been fixed in Cortex XDR agent versions 5.0.11, 6.1.8, 7.2.3, and all later versions. Content updates are required to resolve this issue and are automatically applied for the agent. As a workaround, organizations can mitigate the vulnerability by preventing local authenticated Windows users from creating files in the Windows root directory (such as C:) and ensuring they are unable to manipulate the Windows registry (Palo Advisory).