Delinea Secret Server customers should apply latest patches
(2024/04/15)
- Reference: 1713189611
- News link: https://www.theregister.co.uk/2024/04/15/delinea_secret_server_patch/
- Source link:
Updated Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access.
Secret Server is a privileged access management (PAM) product from Delinea (formerly known as Thycotic and ThycoticCentrify), meaning admin-level access could provide attackers with a way into account credentials of an organization's most senior staff. A keys to the kingdom kind of deal.
Researcher Johnny Yu discovered the vulnerability affecting both on-prem and cloud deployments of Secret Server, and published the details late last week after what he says was a lengthy and ultimately failed campaign to disclose the issue to Delinea.
[1]
Delinea acknowledged the "critical vulnerability" in the SOAP API on April 13 and fixed it in the latest version (11.7.000001), but didn't credit Yu by name with the discovery.
[2]
[3]
It also said there is no evidence to suggest the vulnerability, which hasn't been assigned a [4]CVE , was exploited before the fix was released, and therefore all customer data is believed to be safe.
The release of [5]version 11.7.000001 followed a seven-hour outage on April 12, per Delinea's [6]status page , which stated it was investigating a security incident. Delinea blocked traffic to an unnamed endpoint that contained a "security concern" until the patch was rolled out hours later.
[7]
The vendor didn't explicitly link the disclosed vulnerability to the security incident that led to the service disruption a day earlier – the [8]dedicated page for the Secret Server vulnerability also mentioned SOAP endpoints being limited for Secret Server Cloud customers.
Infosec expert Kevin Beaumont claimed he was able to confirm that the disruption was related to the vulnerability in question.
"On-prem customers need to update, and cloud customers need to hope Delinea understands exactly what happened and is transparent about outcomes," he [9]said . "For example, if nothing happened, why are there attacker indicators of compromise?"
[10]
The Reg asked Delinea about a few of the incident's particulars, but it didn't immediately respond.
Dropping the SOAP
Yu's writeup states he made two key discoveries that led to the authentication bypass exploit. The first was a hardcoded key used to deserialize an API token into a Microsoft.Owin.Security.AuthenticationTicket object, and the other was that each user profile had a nameidentifier property, which holds an integer string.
[11]Microsoft breach allowed Russian spies to steal emails from US government
[12]D-Link issues rip and replace order for besieged NAS drives
[13]Serial extortionist of medical facilities pleads guilty to cybercrime charges
[14]GitHub struggles to keep up with automated malicious forks
He realized that every account holds an integer value in the order in which it was created, so an admin account, which is created during Secret Server's installation, always had the nameidentifier value of "2".
"If we know the hardcoded key to deserializing the [15]API token and we know the integer value associated with the admin profile, we should be able to craft a serialized API token with admin role, and net access to any Delinea Secret Server's protected resources through the web services API," Yu [16]blogged .
After overcoming an issue that required an AuthenticationTicket to be associated with a valid timestamp that was created by an authenticated user, Yu says he was able to develop a local privilege escalation (LPE) exploit.
He then noted that if he removed the oauthExpirationId attribute from the AuthenticationTicket , the timestamp check wouldn't be invoked, in turn creating a full authentication bypass exploit.
Yu says he tried to disclose the vulnerability to Delinea on February 12, but was told by the vendor that he couldn't open a case since he wasn't a paying customer, nor was he affiliated with one.
Per his disclosure timeline, the researcher tried to work with "CERT," which we can assume to be US-CERT given Delinea's Santa Clara headquarters, to disclose the vulnerability on his behalf.
Delinea allegedly failed to respond to the responsible disclosure attempts, even after two deadline extensions.
Yu went public on April 10, two days before Delinea's disruption and resultant patch release. ®
Updated at 15.56 UTC on April 15, 2024, to add:
Delinea sent us a statement post publication:
"We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability.
"Our Engineering and Security teams have conducted reviews for any evidence of compromised tenant data. At this time, we have found no evidence that any customer's data has been compromised and no attempts to exploit the vulnerability has occurred. We continue to monitor this situation. Ongoing updates will be posted on [17]trust.delinea.com ".
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2024/03/22/opinion_column_nist/
[5] https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm?source=post_page-----581a33990882--------------------------------
[6] https://status.delinea.com/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3
[9] https://doublepulsar.com/delinea-has-cloud-security-incident-in-thycotic-secret-server-gaff-581a33990882
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2024/04/12/microsoft_cisa_order/
[12] https://www.theregister.com/2024/04/09/dlink_issues_rip_and_replace/
[13] https://www.theregister.com/2024/03/20/serial_extortionist_of_medical_facilities/
[14] https://www.theregister.com/2024/03/01/github_automated_fork_campaign/
[15] https://www.theregister.com/2022/05/25/why_apis_matter/
[16] https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3
[17] https://trust.delinea.com/
[18] https://whitepapers.theregister.com/
Secret Server is a privileged access management (PAM) product from Delinea (formerly known as Thycotic and ThycoticCentrify), meaning admin-level access could provide attackers with a way into account credentials of an organization's most senior staff. A keys to the kingdom kind of deal.
Researcher Johnny Yu discovered the vulnerability affecting both on-prem and cloud deployments of Secret Server, and published the details late last week after what he says was a lengthy and ultimately failed campaign to disclose the issue to Delinea.
[1]
Delinea acknowledged the "critical vulnerability" in the SOAP API on April 13 and fixed it in the latest version (11.7.000001), but didn't credit Yu by name with the discovery.
[2]
[3]
It also said there is no evidence to suggest the vulnerability, which hasn't been assigned a [4]CVE , was exploited before the fix was released, and therefore all customer data is believed to be safe.
The release of [5]version 11.7.000001 followed a seven-hour outage on April 12, per Delinea's [6]status page , which stated it was investigating a security incident. Delinea blocked traffic to an unnamed endpoint that contained a "security concern" until the patch was rolled out hours later.
[7]
The vendor didn't explicitly link the disclosed vulnerability to the security incident that led to the service disruption a day earlier – the [8]dedicated page for the Secret Server vulnerability also mentioned SOAP endpoints being limited for Secret Server Cloud customers.
Infosec expert Kevin Beaumont claimed he was able to confirm that the disruption was related to the vulnerability in question.
"On-prem customers need to update, and cloud customers need to hope Delinea understands exactly what happened and is transparent about outcomes," he [9]said . "For example, if nothing happened, why are there attacker indicators of compromise?"
[10]
The Reg asked Delinea about a few of the incident's particulars, but it didn't immediately respond.
Dropping the SOAP
Yu's writeup states he made two key discoveries that led to the authentication bypass exploit. The first was a hardcoded key used to deserialize an API token into a Microsoft.Owin.Security.AuthenticationTicket object, and the other was that each user profile had a nameidentifier property, which holds an integer string.
[11]Microsoft breach allowed Russian spies to steal emails from US government
[12]D-Link issues rip and replace order for besieged NAS drives
[13]Serial extortionist of medical facilities pleads guilty to cybercrime charges
[14]GitHub struggles to keep up with automated malicious forks
He realized that every account holds an integer value in the order in which it was created, so an admin account, which is created during Secret Server's installation, always had the nameidentifier value of "2".
"If we know the hardcoded key to deserializing the [15]API token and we know the integer value associated with the admin profile, we should be able to craft a serialized API token with admin role, and net access to any Delinea Secret Server's protected resources through the web services API," Yu [16]blogged .
After overcoming an issue that required an AuthenticationTicket to be associated with a valid timestamp that was created by an authenticated user, Yu says he was able to develop a local privilege escalation (LPE) exploit.
He then noted that if he removed the oauthExpirationId attribute from the AuthenticationTicket , the timestamp check wouldn't be invoked, in turn creating a full authentication bypass exploit.
Yu says he tried to disclose the vulnerability to Delinea on February 12, but was told by the vendor that he couldn't open a case since he wasn't a paying customer, nor was he affiliated with one.
Per his disclosure timeline, the researcher tried to work with "CERT," which we can assume to be US-CERT given Delinea's Santa Clara headquarters, to disclose the vulnerability on his behalf.
Delinea allegedly failed to respond to the responsible disclosure attempts, even after two deadline extensions.
Yu went public on April 10, two days before Delinea's disruption and resultant patch release. ®
Updated at 15.56 UTC on April 15, 2024, to add:
Delinea sent us a statement post publication:
"We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability.
"Our Engineering and Security teams have conducted reviews for any evidence of compromised tenant data. At this time, we have found no evidence that any customer's data has been compromised and no attempts to exploit the vulnerability has occurred. We continue to monitor this situation. Ongoing updates will be posted on [17]trust.delinea.com ".
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2024/03/22/opinion_column_nist/
[5] https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm?source=post_page-----581a33990882--------------------------------
[6] https://status.delinea.com/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3
[9] https://doublepulsar.com/delinea-has-cloud-security-incident-in-thycotic-secret-server-gaff-581a33990882
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zh1PGYkOFE-d7TbaotndegAAAI4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2024/04/12/microsoft_cisa_order/
[12] https://www.theregister.com/2024/04/09/dlink_issues_rip_and_replace/
[13] https://www.theregister.com/2024/03/20/serial_extortionist_of_medical_facilities/
[14] https://www.theregister.com/2024/03/01/github_automated_fork_campaign/
[15] https://www.theregister.com/2022/05/25/why_apis_matter/
[16] https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3
[17] https://trust.delinea.com/
[18] https://whitepapers.theregister.com/
"The Reg asked Delinea about a few of the incident's particulars, but it didn't immediately respond."
... Because you're not a paying customer!