CVE-2024-33891: Researcher Exposes Severe Flaw in Delinea’s Secret Server

Organizations using Delinea’s Secret Server, a popular Privileged Access Management (PAM) solution, are urged to update immediately following the exposure of a critical vulnerability, assigned CVE-2024-33891 and having an 8.8 CVSS score. If left unpatched, this flaw allows attackers to bypass authentication completely, granting them the same level of access as a legitimate administrator within the system.

Privileged Access Management (PAM) solutions, like Delinea Secret Server, act as secure vaults for passwords, API keys, certificates, and other credentials across an organization’s technology infrastructure. If hackers can bypass authentication, they hold the keys to sensitive servers, databases, and even domain controllers. The ramifications of a successful exploit range from catastrophic data breaches to crippling ransomware attacks that can hold a business hostage.

Security researcher Johnny Yu independently discovered the Secret Server vulnerability and began the responsible disclosure process on February 12th, 2024. Unfortunately, his attempts to communicate with Delinea were met with silence, prompting him to involve the CERT Coordination Center. After further inaction from Delinea, Yu made the difficult decision to release the vulnerability details publicly on April 12th. This timeline casts a concerning light on software security, as delayed responses to critical vulnerability disclosures leave end-users vulnerable.

The CVE-2024-33891 vulnerability centers around the Secret Server’s SOAP API. Yu discovered two critical issues:

1. A hardcoded key used to deserialize an API token into a Microsoft.Owin.Security.AuthenticationTicket object.
2. A predictable nameidentifier property in each user profile, which holds an integer string and plays a pivotal role in user authentication.

Exploiting these vulnerabilities could allow an attacker to bypass authentication mechanisms, gaining unauthorized access to the system with potential administrative rights.

After the vulnerability details went public, Delinea acknowledged the issue on April 13 and described it as a “critical vulnerability” in the SOAP API. Initially, Delinea took swift action by blocking the affected SOAP endpoints for its cloud-based Secret Server customers and releasing indicators of compromise (IoCs) to help users detect potential breaches.

On April 14, Delinea released updates (11.7.000001) for both its Delinea Platform and Secret Server Cloud, followed closely by patches for on-premises versions. These patches address the disclosed vulnerability, securing the endpoints and modifying the authentication mechanisms to prevent exploitation.