TL;DR In this blog post, we will review a security gap that may allow access to sensitive log files before they are encrypted. This vulnerability may permit retrieval and reading of critical data without decryption steps. Attackers can exploit this brief window to copy these unencrypted files, bypassing encryption and password-protection measures, highlighting the need for better protection of sensitive data throughout the entire handling process.
by: Hai Vaknin (vakninhai)
Recently, in my exploration of Cortex EDR’s security systems, I stumbled upon a discovery that goes against what we often expect in cybersecurity.
I found that it was possible to access sensitive log files before they were encrypted. This situation points to a potential security gap, allowing critical data to be accessed without the usual decryption steps.
The key issue I discovered is the ability to access these log files before the TFS encryption process is applied. In essence, this allows one to retrieve and read sensitive data from the logs without requiring the designated encryption key or engaging in the standard decryption procedure.
Step 1: Initiating Support File Generation To begin, navigate to the Cortex agent on your endpoint device. Here, you’ll find an option to ‘Generate Support File’. This function is typically used for troubleshooting purposes and collects a range of operational data from the agent.

Once you initiate the support file generation, Cortex EDR creates a ZIP file. This file is stored in C:\Users\*\AppData\Roaming\PaloAltoNetworks\Traps\support. It's packed with crucial data, including whitelist folders, agent passwords, and detailed information about your environment and endpoint.
Key Observation: Alongside this ZIP file, you’ll find a text file named “_Crypto-info”. This isn’t just any text file; it contains sensitive data crucial for the decryption process. Here’s a glimpse of what it looks like:

An important aspect to note is that the ZIP file created by Cortex EDR is securely password-protected. This isn’t just a simple password you can guess or bypass easily; it requires specific credentials for decryption.
Here’s the catch: To decrypt this file, you need to access the Cortex web management interface. But it’s not as straightforward as it sounds. You must have administrative privileges on the tenant to proceed. This means that under normal circumstances, only someone with a high level of access and authority within the organization can decrypt this file and view its contents.


Comments