A serious remote code execution vulnerability has been uncovered in the CyberArk Enterprise Password Vault application. This vulnerability poses a substantial risk, allowing attackers to potentially gain unauthorized access to the system with the same privileges as the web application itself.
The discovery was made by RedTeam Pentesting GmbH, a cybersecurity firm based in Germany, indicating a vulnerability that could affect organizations relying on CyberArk’s password management solutions for safeguarding sensitive information. These Enterprise Password Vaults (EPVs) are designed to manage privileged account passwords across various systems, including databases and switches, thereby protecting both external threats and malicious insiders.
The vulnerability, identified as CVE-2018-9843, exists in CyberArk Password Vault Web Access, a .NET-based web application intended for secure remote account access. The flaw arises from the application’s unsafe handling of deserialization operations, creating an opening for attackers to execute malicious code on the server.
Upon user authentication, the application employs REST API to transmit an authorization request. This request includes a serialized .NET object encoded in base64, which contains session information. However, the integrity of this serialized data has not been sufficiently protected, as researchers discovered that the web server does not verify it, allowing attackers to manipulate authentication tokens and inject harmful code in the authorization header, leading to remote code execution.
The researchers have shared proof-of-concept code illustrating this vulnerability through the tool ysoserial.net, which aids in the creation of payloads for .NET applications vulnerable to unsafe deserialization.
Following the responsible disclosure of the vulnerability to CyberArk, the company has since released patched versions of CyberArk Password Vault Web Access. Organizations utilizing this service are strongly advised to upgrade to versions 9.9.5, 9.10, or 10.2 to mitigate any security risks.
Businesses unable to update immediately can take precautionary measures by disabling access to the API endpoint at /PasswordVault/WebServices, reducing the exposure to potential attacks.
This incident highlights the critical importance of software security and the need for continuous monitoring of vulnerabilities in third-party applications, especially those that play such a pivotal role in managing sensitive organizational accounts. Awareness and prompt action can serve as vital defenses against exploitation attempts related to this vulnerability, ensuring the security of systems that hold comprehensive access to confidential data.
In conclusion, organizations must remain vigilant and proactive in their cybersecurity efforts, acknowledging that vulnerabilities, such as the one found in CyberArk, can pose serious risks to data integrity and security. For ongoing updates on cybersecurity threats and practices, professionals are encouraged to follow recognized sources and channels in the field.