By rssfeeds-admin 
When the agent is deployed with non-default service account configurations such as elevated permissions under Server Operator or Domain Join roles, an unprivileged domain user can exploit file-read or memory-dump mechanisms to retrieve the password.
Once obtained, the attacker may use the account’s permissions to uninstall or disable the User-ID service, undermining network security policies that rely on credential-phishing prevention under a Domain Credential Filter configuration.
In environments where the service account holds higher privileges, the exposed credentials could enable server-level control, including shutdown or restart operations, rogue computer object creation, and reconnaissance or probing of network clients.
Impact Variation by Service Account Privileges
The severity of the impact depends on the privilege level assigned to the service account.
Minimally privileged accounts, those configured with basic service permission, are susceptible to disruption of User-ID operations, weakening the enforcement of advanced URL filtering rules.
The Common Vulnerability Scoring System (CVSS) rates this exposure as Low (CVSS-BT 1.9, CVSS-B 5.8), reflecting limited impact when only service-level disruption is possible.
Elevated service accounts, such as those granted Server Operator or Domain Join rights, face a Medium-severity rating (CVSS-BT 4.2, CVSS-B 7.2), given the broader range of actions an attacker could perform, including domain manipulation and network compromise via credential reuse.
Mitigation and Remediation Guidance
Palo Alto Networks has addressed the vulnerability in User-ID Credential Agent version 11.0.3 on Windows and later.
Administrators running version 11.0.0 through 11.0.1-104 require no action, while those on 11.0 and 11.0.1-105 through 11.0.2-132 should upgrade to at least 11.0.3.
In the interim, organizations can mitigate privilege escalation risks by verifying that Domain Users are not granted “Allow log on locally” rights on Domain Controllers.
This setting is found under Group Policy Management in the Default Domain Controllers Policy: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
Additionally, following best-practice guidelines to create dedicated, minimally privileged service accounts for the User-ID agent and properly configure credential-detection policies can further reduce exposure.
No malicious exploitation of this issue has been reported to date, but timely patching and policy review are recommended to preserve network security integrity.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Palo Alto User-ID Agent Vulnerability Leaks Passwords in Cleartext appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.