Palo Alto Networks Security Advisories /CVE-2024-5909CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the AgentUrgencyMODERATEResponse EffortMODERATERecoveryUSERValue DensityDIFFUSEAttack VectorLOCALAttack ComplexityLOWAttack RequirementsNONEAutomatableNOUser InteractionNONEProduct ConfidentialityNONEProduct IntegrityNONEProduct AvailabilityHIGHPrivileges RequiredLOWSubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONENVDJSON Published2024-06-12 Updated2024-06-12ReferenceCPATR-21835 andCPATR-21826DiscoveredexternallyDescriptionA problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a low privileged local Windows user to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity.Product StatusVersionsAffectedUnaffectedCortex XDR Agent 8.4NoneAllCortex XDR Agent 8.3NoneAllCortex XDR Agent 8.2< 8.2.1 on Windows>= 8.2.1 on WindowsCortex XDR Agent 8.1< 8.1.2 on Windows>= 8.1.2 on WindowsCortex XDR Agent 7.9-CE< 7.9.102-CE on Windows>= 7.9.102-CE on WindowsSeverity:MEDIUMCVSSv4.0Base Score:6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness TypeCWE-269 Improper Privilege ManagementSolutionThis issue is fixed in Cortex XDR agent 7.9.102-CE, Cortex XDR agent 8.1.2, Cortex XDR agent 8.2.1, and all later Cortex XDR agent versions.AcknowledgmentsPalo Alto Networks thanks Manuel Feifel of VUREX (InfoGuard AG) for discovering and reporting this issue.Timeline2024-06-12Initial publication
