Advisory: CyberArk Password Vault Memory Disclosure Data in the CyberArk Password Vault may be accessed through a proprietary network protocol. While answering to a client's logon request, the vault discloses around 50 bytes of its memory to the client. Details ======= Product: CyberArk Password Vault Affected Versions: < 9.7, < 10 Fixed Versions: 9.7, 10 Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://www.cyberark.com/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015 Advisory Status: published CVE: CVE-2018-9842 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9842 Introduction ============ "CyberArk Enterprise Password Vault is designed to secure, rotate and control access to privileged account credentials based on organizational policies. A flexible architecture allows organizations to start small and scale to the largest, most complex IT environments. The solution protects privileged account credentials used to access the vast majority of systems." (from the Enterprise Password Vault Data Sheet [1]) More Details ============ The CyberArk Password Vault serves as a database to securely store credentials. Furthermore, the vault enforces access controls and logs access to its records. Data stored in the vault may be accessed through a proprietary network protocol which is usually transmitted over TCP port 1858. Various clients, such as web applications or command line tools, are provided by CyberArk to interface with a vault. The first message a client sends to the vault is a "Logon" command. Using a network sniffer, such a message was captured: $ xxd logon.bin 00000000: ffff ffff f700 0000 ffff ffff 3d01 0000 ............=... 00000010: 5061 636c 6953 6372 6970 7455 7365 7200 PacliScriptUser. 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0000 0000 0000 0000 0000 0020 2020 ............. 00000070: 20ff ffff ff00 0000 0000 0000 0000 0073 ..............s 00000080: 0000 00ce cece ce00 0000 0000 0000 0000 ................ 00000090: 0000 0000 0000 0030 3d4c 6f67 6f6e fd31 .......0=Logon.1 000000a0: 3135 3d37 2e32 302e 3930 2e32 38fd 3639 15=7.20.90.28.69 000000b0: 3d50 fd31 3136 3d30 fd31 3030 3dfd 3231 =P.116=0.100=.21 000000c0: 373d 59fd 3231 383d 5041 434c 49fd 3231 7=Y.218=PACLI.21 000000d0: 393d fd33 3137 3d30 fd33 3537 3d30 fd32 9=.317=0.357=0.2 000000e0: 323d 5061 636c 6953 6372 6970 7455 7365 2=PacliScriptUse 000000f0: 72fd 3336 373d 3330 fd00 00 r.367=30... Starting at offset 0x97, a type of remote procedure call can be identified. In this case, "Logon" is invoked for the user "PacliScriptUser". This message does not contain any random, unpredictable data. Therefore, it may be replayed at will once captured. This can be accomplished using netcat:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment