Security

Patches

Delinea Secret Server customers should apply latest patches

Attackers could nab an org's most sensitive keys if left unaddressed


Updated Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access.

Secret Server is a privileged access management (PAM) product from Delinea (formerly known as Thycotic and ThycoticCentrify), meaning admin-level access could provide miscreants with a way into account credentials of an organization's most senior staff. A keys to the kingdom kind of deal.

Researcher Johnny Yu discovered the vulnerability affecting both on-prem and cloud deployments of Secret Server, and published the details late last week after what he says was a lengthy and ultimately failed campaign to disclose the issue to Delinea.

Delinea acknowledged the "critical vulnerability" in the SOAP API on April 13 and fixed it in the latest version (11.7.000001), but didn't credit Yu by name with the discovery.

It also said there is no evidence to suggest the vulnerability, which hasn't been assigned a CVE, was exploited before the fix was released, and therefore all customer data is believed to be safe.

The release of version 11.7.000001 followed a seven-hour outage on April 12, per Delinea's status page, which stated it was investigating a security incident. Delinea blocked traffic to an unnamed endpoint that contained a "security concern" until the patch was rolled out hours later.

The vendor didn't explicitly link the disclosed vulnerability to the security incident that led to the service disruption a day earlier – the dedicated page for the Secret Server vulnerability also mentioned SOAP endpoints being limited for Secret Server Cloud customers.

Infosec expert Kevin Beaumont claimed he was able to confirm that the disruption was related to the vulnerability in question.

"On-prem customers need to update, and cloud customers need to hope Delinea understands exactly what happened and is transparent about outcomes," he said. "For example, if nothing happened, why are there attacker indicators of compromise?"

The Reg asked Delinea about a few of the incident's particulars, but it didn't immediately respond.

Dropping the SOAP

Yu's writeup states he made two key discoveries that led to the authentication bypass exploit. The first was a hardcoded key used to deserialize an API token into a Microsoft.Owin.Security.AuthenticationTicket object, and the other was that each user profile had a nameidentifier property, which holds an integer string.

He realized that every account holds an integer value in the order in which it was created, so an admin account, which is created during Secret Server's installation, always had the nameidentifier value of "2".

"If we know the hardcoded key to deserializing the API token and we know the integer value associated with the admin profile, we should be able to craft a serialized API token with admin role, and net access to any Delinea Secret Server's protected resources through the web services API," Yu blogged.

After overcoming an issue that required an AuthenticationTicket to be associated with a valid timestamp that was created by an authenticated user, Yu says he was able to develop a local privilege escalation (LPE) exploit.

He then noted that if he removed the oauthExpirationId attribute from the AuthenticationTicket, the timestamp check wouldn't be invoked, in turn creating a full authentication bypass exploit.

Yu says he tried to disclose the vulnerability to Delinea on February 12, but was told by the vendor that he couldn't open a case since he wasn't a paying customer, nor was he affiliated with one.

Per his disclosure timeline, the researcher tried to work with "CERT," which we can assume to be US-CERT given Delinea's Santa Clara headquarters, to disclose the vulnerability on his behalf.

Delinea allegedly failed to respond to the responsible disclosure attempts, even after two deadline extensions.

Yu went public on April 10, two days before Delinea's disruption and resultant patch release. ®

Updated at 1556 UTC to add

Delinea sent us this statement post-publication:

"We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability.

"Our Engineering and Security teams have conducted reviews for any evidence of compromised tenant data. At this time, we have found no evidence that any customer's data has been compromised and no attempts to exploit the vulnerability has occurred. We continue to monitor this situation. Ongoing updates will be posted on trust.delinea.com".

Send us news
3 Comments

UK ICO not happy with Google's plans to allow device fingerprinting

Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more

Apache issues patches for critical Struts 2 RCE bug

More details released after devs allowed weeks to apply fixes

Three more vulns spotted in Ivanti CSA, all critical, one 10/10

Patch up, everyone – that admin portal is mighty attractive to your friendly cyberattacker

Fully patched Cleo products under renewed 'zero-day-ish' mass attack

Thousands of servers targeted while customers wait for patches

OpenWrt orders router firmware updates after supply chain attack scare

A couple of bugs lead to a potentially bad time

Perfect 10 directory traversal vuln hits SailPoint's IAM solution

20-year-old info disclosure class bug still pervades security software

Zabbix urges upgrades after critical SQL injection bug disclosure

US agencies blasted 'unforgivable' SQLi flaws earlier this year

Infosec experts divided on AI's potential to assist red teams

Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence

Trump administration wants to go on cyber offensive against China

The US has never attacked Chinese critical infrastructure before, right?

Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

Personal and financial data probably stolen

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more

Blue Yonder ransomware termites claim credit

Also: Mystery US firm compromised by Chinese hackers for months; Safe links that aren't; Polish spy boss arrested, and more