A Step-by-Step Guide to Understanding The TFS Vulnerability in the Cortex EDR
Updated: Jun 25
TL;DR In this blog post, we will review a security gap that may allow access to sensitive log files before they are encrypted. This vulnerability may permit retrieval and reading of critical data without decryption steps. Attackers can exploit this brief window to copy these unencrypted files, bypassing encryption and password-protection measures, highlighting the need for better protection of sensitive data throughout the entire handling process.
Recently, in my exploration of Cortex EDR’s security systems, I stumbled upon a discovery that goes against what we often expect in cybersecurity.
I found that it was possible to access sensitive log files before they were encrypted. This situation points to a potential security gap, allowing critical data to be accessed without the usual decryption steps.
The key issue I discovered is the ability to access these log files before the TFS encryption process is applied. In essence, this allows one to retrieve and read sensitive data from the logs without requiring the designated encryption key or engaging in the standard decryption procedure.
Step 1: Initiating Support File Generation To begin, navigate to the Cortex agent on your endpoint device. Here, you’ll find an option to ‘Generate Support File’. This function is typically used for troubleshooting purposes and collects a range of operational data from the agent.
Once you initiate the support file generation, Cortex EDR creates a ZIP file. This file is stored in C:\Users\*\AppData\Roaming\PaloAltoNetworks\Traps\support. It's packed with crucial data, including whitelist folders, agent passwords, and detailed information about your environment and endpoint.
Key Observation: Alongside this ZIP file, you’ll find a text file named “_Crypto-info”. This isn’t just any text file; it contains sensitive data crucial for the decryption process. Here’s a glimpse of what it looks like:
An important aspect to note is that the ZIP file created by Cortex EDR is securely password-protected. This isn’t just a simple password you can guess or bypass easily; it requires specific credentials for decryption.
Here’s the catch: To decrypt this file, you need to access the Cortex web management interface. But it’s not as straightforward as it sounds. You must have administrative privileges on the tenant to proceed. This means that under normal circumstances, only someone with a high level of access and authority within the organization can decrypt this file and view its contents.
This process is a critical security measure put in place by Cortex. It ensures that sensitive information, like the whitelist folders, agent passwords, and other crucial environment and endpoint data within the ZIP file, is not easily accessible to just anyone. It’s meant to safeguard against unauthorized access and potential security breaches.
However, as we will see in the next steps, this security measure has its own vulnerabilities.
Step 2: Locating Temporary Files and Capturing Data Before Encryption
As soon as you initiate the ‘Generate Logs’ process in Cortex EDR, several things happen in quick succession:
Exploiting the Gap: An attacker with access to the system during this critical minute can copy these unencrypted files elsewhere. This action effectively bypasses the encryption and password-protection mechanism that Cortex EDR intends to use for securing these logs.
This brief yet crucial period of vulnerability highlights a significant gap in data security. It emphasizes the importance of ensuring that sensitive data is protected at all stages of handling, not just after encryption is applied.
Comments