Skip links

Delinea Secret Server customers should apply latest patches

Customers of Delinea’s Secret Server are being urged to upgrade their installations “immediately” after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access.

Secret Server is a privileged access management (PAM) product from Delinea (formerly known as Thycotic and ThycoticCentrify), meaning admin-level access could provide attackers with a way into account credentials of an organization’s most senior staff. A keys to the kingdom kind of deal.

Researcher Johnny Yu discovered the vulnerability affecting both on-prem and cloud deployments of Secret Server, and published the details late last week after what he says was a lengthy and ultimately failed campaign to disclose the issue to Delinea.

Delinea acknowledged the “critical vulnerability” in the SOAP API on April 13 and fixed it in the latest version (11.7.000001), but didn’t credit Yu by name with the discovery.

It also said there is no evidence to suggest the vulnerability, which hasn’t been assigned a CVE, was exploited before the fix was released, and therefore all customer data is believed to be safe.

The release of version 11.7.000001 followed a seven-hour outage on April 12, per Delinea’s status page, which stated it was investigating a security incident. Delinea blocked traffic to an unnamed endpoint that contained a “security concern” until the patch was rolled out hours later.

The vendor didn’t explicitly link the disclosed vulnerability to the security incident that led to the service disruption a day earlier – the dedicated page for the Secret Server vulnerability also mentioned SOAP endpoints being limited for Secret Server Cloud customers.

Infosec expert Kevin Beaumont claimed he was able to confirm that the disruption was related to the vulnerability in question.

“On-prem customers need to update, and cloud customers need to hope Delinea understands exactly what happened and is transparent about outcomes,” he said. “For example, if nothing happened, why are there attacker indicators of compromise?”

The Reg asked Delinea about a few of the incident’s particulars, but it didn’t immediately respond.

Dropping the SOAP

Yu’s writeup states he made two key discoveries that led to the authentication bypass exploit. The first was a hardcoded key used to deserialize an API token into a Microsoft.Owin.Security.AuthenticationTicket object, and the other was that each user profile had a nameidentifier property, which holds an integer string.

He realized that every account holds an integer value in the order in which it was created, so an admin account, which is created during Secret Server’s installation, always had the nameidentifier value of “2”.

“If we know the hardcoded key to deserializing the API token and we know the integer value associated with the admin profile, we should be able to craft a serialized API token with admin role, and net access to any Delinea Secret Server’s protected resources through the web services API,” Yu blogged.

After overcoming an issue that required an AuthenticationTicket to be associated with a valid timestamp that was created by an authenticated user, Yu says he was able to develop a local privilege escalation (LPE) exploit.

He then noted that if he removed the oauthExpirationId attribute from the AuthenticationTicket, the timestamp check wouldn’t be invoked, in turn creating a full authentication bypass exploit.

Yu says he tried to disclose the vulnerability to Delinea on February 12, but was told by the vendor that he couldn’t open a case since he wasn’t a paying customer, nor was he affiliated with one.

Per his disclosure timeline, the researcher tried to work with “CERT,” which we can assume to be US-CERT given Delinea’s Santa Clara headquarters, to disclose the vulnerability on his behalf.

Delinea allegedly failed to respond to the responsible disclosure attempts, even after two deadline extensions.

Yu went public on April 10, two days before Delinea’s disruption and resultant patch release. ®