CyberArk Enterprise Password Vault application exists Remote Code Execution Vulnerability
According to thehackernews on April 9, RedTeam Pentesting GmbH, a German network security company, discovered that there is a serious remote code execution vulnerability (CVE-2018-9843) in the CyberArk Enterprise Password Vault application that could allow attackers to exploit Web application privilege makes unauthorized access to the system.
Enterprise Password Vault (EPV) solutions help organizations securely manage their sensitive passwords, control privileged account passwords in various client/server and mainframe operating systems, switches, databases, and protect them from outside attackers and malicious Insider threats.
RedTeam Pentesting GmbH security company found that the vulnerability resides in the WebAccess of the CyberArk password vault. It is caused by the way the Web server handles the deserialization operation insecurely and may allow the attacker to process the deserialized data server. Execute the code.
When a user logs in to an account, the CyberArk Enterprise Password Vault application uses the REST API to send an authentication request to the server, which includes an authorization header containing a .net object serialized in base64 encoding. This serialized .net object holds information about the user’s session, but the researchers discovered that “the integrity of the serialized data is not protected.”
Because the server does not verify the integrity of the serialized data and handles deserialization operations insecurely, the attacker can only manipulate the authentication token and inject their malicious code into the authorization header, thus obtaining “not on the Web server. Verified remote code execution.”
Researchers strongly recommend companies using CyberArk password vault Web access to upgrade their software to 9.9.5, 9.10, or 10.2. If you cannot upgrade your software immediately, a possible solution to mitigate this vulnerability is to disable any access to the API on route / PasswordVault / WebServices.
Source: thehackernews
