Palo Alto Networks 发布安全公告，针对 SafeBreach 研究团队提出的 Cortex XDR Agent 漏洞进行说明。该漏洞允许攻击者绕过 Cortex XDR Agent 的端点保护模块，但需要管理员权限才能执行。Palo Alto Networks 已在 CU-1320 及更高版本的更新中修复了该漏洞，并表示该漏洞不构成对使用 Cortex XDR Agent 的客户的实际安全风险。

😨 **漏洞概述:** SafeBreach 研究团队发现了一种概念验证方法，可以绕过 Cortex XDR Agent 的端点保护模块。该漏洞利用了 Cortex XDR Agent 中的特定机制，允许攻击者绕过安全防护措施。

🛡️ **漏洞影响:** 该漏洞仅影响 Windows 平台上的 Cortex XDR Agent，并且需要攻击者拥有管理员权限才能利用。该漏洞不会影响 Mac OS 和 Linux 平台，也不会影响使用 CU-1320 及更高版本内容更新的 Agent。

⚠️ **修复措施:** Palo Alto Networks 已在 CU-1320 及更高版本的更新中修复了该漏洞。用户应尽快更新其 Cortex XDR Agent 以确保其系统安全。对于 Cortex XDR Agent 5.0，由于其没有相关的行为威胁防护模块，因此不会提供更新。

🤝 **合作与致谢:** Palo Alto Networks 感谢 SafeBreach 的 Shmuel Cohen 发现并报告了该漏洞。

⏳ **时间线:** 该漏洞公告于 2024 年 4 月 24 日发布。

Palo Alto Networks Security Advisories /PAN-SA-2024-0005PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR AgentInformationalJSON Published2024-04-24 Updated2024-04-24ReferenceDiscoveredexternallyDescriptionThe Palo Alto Networks Product Security Assurance team is aware of research presented by SafeBreach entitled "The Dark Side of EDR", describing a specifically crafted proof of concept (PoC) that bypasses Cortex XDR agent endpoint protection modules. Practical attack scenarios require administrative privileges to perform this bypass.The technique presented is detected and blocked in agents with CU-1320 and later content updates. This issue does not represent a product vulnerability risk to customers using Cortex XDR agent. This issue is not applicable to Mac OS and Linux platforms.Product StatusVersionsAffectedUnaffectedCortex XDR Agent 8.4< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on WindowsCortex XDR Agent 8.3< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on WindowsCortex XDR Agent 8.2< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on WindowsCortex XDR Agent 8.1< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on WindowsCortex XDR Agent 8.0< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on WindowsCortex XDR Agent 7.9< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on WindowsCortex XDR Agent 5.0All agents on WindowsExploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.SolutionCortex XDR agent content update CU-1320 detects and prevents this technique.No updates are planned for Cortex XDR agent 5.0 as it does not have the relevant Behavioral Threat Protection module required to detect this technique.AcknowledgmentsPalo Alto Networks thanks Shmuel Cohen of SafeBreach for discovering and reporting this issue.Timeline2024-04-24Initial publication