CyberArk Enterprise Password Vault application has been detected with a critical vulnerability which allows the hackers to attain unauthorized entry to the system with the advantage of the web application.
Enterprise password manager (EPV) solutions enables the companies to safely manage their passwords, control privileged accounts passwords across a large number of client/server and mainframe operating systems, switches, databases, and keep them safe from external as well as internal attackers.
This vulnerability was found by the German cybersecurity firm called RedTeam Pentesting GmbH. The vulnerability impacts Enterprise Password Vault apps designed by CyberArk which is a password management and security tool similar to EPV.
The vulnerability (CVE-2018-9843) inhabits in CyberArk Password Vault Web Access, a .NET web application created by them to enable their customers to access their accounts remotely.
This flaw occurs due to the manner in which the web server unsafely handle deserialization operations, allowing the hackers to execute code on the server processing the deserialized data.
Researchers mentions that when a user logs into his account, the application uses REST API to send an authentication request to the server, which includes an authorization header containing a serialized .NET object encoded in base64. This serialized .NET object contains the data regarding the user’s session. They found that the “integrity of the serialized data is not protected.”
The hackers can easily manipulate authentication tokens to introduce their malicious code into the authorization header thereby gaining unauthenticated, remote code execution on the web server. This can be done easily as the server does not verify the integrity of the serialized data and insecurely handles the deserialization operations.
A full proof-of-concept code has been released by the researchers to demonstrate the vulnerability using ysoserial.net which is an open source tool for generating payloads for .NET applications performing unsafe deserialization of objects.
When the RedTeam reported the vulnerability to CyberArk, the technical details of the vulnerability and exploit code has been disclosed and the company has released patched versions of the CyberArk Password Vault Web Access.
Enterprises using CyberArk Password Vault Web Access are suggested to upgrade their software to version 9.9.5, 9.10 or 10.2.
In situations when you are not able to upgrade your software now, the possible workaround to mitigate this vulnerability is disabling any access to the API at the route / PasswordVault / WebServices.