An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.
{"id": "CVE-2021-31796", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-31796", "description": "An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.", "published": "2021-09-02T01:15:00", "modified": "2021-09-10T17:03:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31796", "reporter": "cve@mitre.org", "references": ["https://www.cyberark.com/resources/blog", "https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt", "http://seclists.org/fulldisclosure/2021/Sep/1", "http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html"], "cvelist": ["CVE-2021-31796"], "immutableFields": [], "lastseen": "2022-03-23T18:08:34", "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "githubexploit", "idList": ["0E92F71E-A3D4-5445-A38A-BD41B5C8EFF6"]}, {"type": "korelogic", "idList": ["KL-001-2021-008"]}], "rev": 4}, "score": {"value": 1.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "githubexploit", "idList": ["0E92F71E-A3D4-5445-A38A-BD41B5C8EFF6"]}, {"type": "korelogic", "idList": ["KL-001-2021-008"]}]}, "exploitation": null, "vulnersScore": 1.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-326"], "affectedSoftware": [{"cpeName": "cyberark:credential_provider", "version": "12.1", "operator": "lt", "name": "cyberark credential provider"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:cyberark:credential_provider:12.1:*:*:*:*:*:*:*", "versionEndExcluding": "12.1", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.cyberark.com/resources/blog", "name": "https://www.cyberark.com/resources/blog", "refsource": "MISC", "tags": ["Product"]}, {"url": "https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt", "name": "https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt", "refsource": "MISC", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2021/Sep/1", "name": "http://seclists.org/fulldisclosure/2021/Sep/1", "refsource": "MISC", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html", "name": "http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}]}
{"korelogic": [{"lastseen": "2021-12-01T13:42:45", "description": "1. Vulnerability Details\n\n Affected Vendor: CyberArk\n Affected Product: Application Access Manager/Credential Provider\n Affected Version: Prior to 12.1\n Platform: Linux/Windows/zOS\n CWE Classification: CWE-326: Inadequate Encryption Strength\n CVE ID: CVE-2021-31796\n\n\n2. Vulnerability Description\n\n CyberArk Credential Providers and possibly other Vault\n components use credential files to store usernames and encrypted\n passwords. Under certain conditions, the effective key space\n used to encrypt the passwords is significantly reduced. For\n an attacker who understands the key derivation scheme and\n encryption mechanics, full access to the information used to\n derive the encryption key is sufficient to reduce effective key\n space to one. With partial access, the effective key space can\n vary depending on the information available, and a number of\n those variations are unlikely to withstand brute force attacks.\n\n\n3. Technical Description\n\n The password(s) stored in CyberArk version 2 credential (.cred)\n files are protected against inadvertent disclosure through\n the use of a proprietary key derivation scheme and Advanced\n Encryption Standard (AES) encryption. More specifically, each\n password along with some additional information is encrypted\n using the AES cipher in Cipher Block Chaining (CBC) mode,\n a 256-bit key, and a 128-bit Initialization Vector (IV).\n\n Per online documentation, the encryption key is derived from a\n random 160-bit salt and the following environmental information:\n Client ID (10 characters), OS user, IP address, and Application\n [1].\n\n Based on analysis and observations, the following credential\n file fields are involved in the key derivation process:\n\n - ClientApp (conditionally required)\n - AppPath (conditionally required)\n - ClientIP (conditionally required)\n - OSUser (conditionally required)\n - AdditionalInformation ( required)\n - ClientHostname (conditionally required)\n\n where\n\n - ClientApp identifies the allowed application type\n - AppPath is a path that points to an allowed system executable\n - ClientIP identifies the allowed system IP address\n - OSUser identifies the allowed system user\n - AdditionalInformation is a 160-bit random salt\n - ClientHostname identifies the allowed system hostname\n\n Whether or not the conditionally required fields noted above are\n required (i.e., used in the key derivation process) depends on\n the value of the VerificationsFlag field, which is implemented\n as a bit mask having the undocumented mappings shown in the\n table below.\n\n +-----------------------+------------+-----+\n | Field | Mask Value | Bit |\n +-----------------------+------------+-----+\n | ClientApp | 0x0001 | 0 |\n | AppPath | 0x0002 | 1 |\n | ClientIP | 0x0004 | 2 |\n | OSUser | 0x0008 | 3 |\n | AdditionalInformation | 0x0010 | 4 |\n | ClientHostname | 0x0020 | 5 |\n +-----------------------+------------+-----+\n\n For a specific VerificationsFlag value, a given field is\n required if its bit is set in the aggregate mask for that\n value. For example, an aggregate mask of 17 (0x0011) indicates\n that the AdditionalInformation (bit 4) and ClientApp (bit 0)\n fields are required since those mask values (i.e., 0x0010 and\n 0x0001) yield an aggregate mask of 0x0011 when ORed together in\n a bitwise operation. Similarly, an aggregate mask of 63 (0x003f)\n indicates that all fields in the table above are required.\n\n Below is a table derived from online documentation [1]. It\n identifies all currently known application types. For the\n purposes of key derivation, this list constitutes the set\n of valid choices for the ClientApp field. If the bit for\n this field is set in the aggregate mask, the corresponding\n value undergoes several transformations prior to being folded\n into the key derivation process. First, it is converted to\n a lowercase string. Next, the lowercase string is hashed\n using SHA1. Finally, the resultant hash (in binary form)\n is encoded as a Base64 string. In the sections that follow,\n this transformed value will be referred to as ClientAppXForm.\n\n +---------------------------------------------+----------------+\n | Application Type | ID |\n +---------------------------------------------+----------------+\n | Central Policy Manager | CPM |\n | Password Vault Web Access | PVWA |\n | Password Vault Web Access application user | PVWAApp |\n | OPM and Credential Provider | AppPrv |\n | Privileged Session Manager application user | PSMApp |\n | CyberArk Replicator/Restore/Prebackup | CABACKUP |\n | Disaster Recovery Vault | DR |\n | Event Notification Engine | ENE |\n | PrivateArk Client | WINCLIENT, GUI |\n | CyberArk CLI | PACLI |\n | CyberArk ActiveX API | XAPI |\n | CyberArk .Net API | NAPI |\n | Export Vault Data | EVD |\n | CyberArk Encryption Utility | CACrypt |\n +---------------------------------------------+----------------+\n\n Embedded in the key derivation code are two undocumented,\n hard-coded byte sequences (henceforth referred to as Suffix1\n and Suffix2).\n\n Given the above, the key derivation process can be summarized\n as follows:\n\n - start a pair of SHA1 hashes (Hash1 and Hash2)\n - update each hash with required field values in the following\n order: ClientAppXForm, AppPath, ClientIP, ClientHostname,\n OSUser, and AdditionalInformation\n - update Hash1 with Suffix1\n - update Hash2 with Suffix2\n - finalize hashes\n - construct encryption key using Hash1[0:20] and Hash2[0:12]\n\n Unfortunately, the effective key space can be substantially\n less than the total key space, which is 2^256. This is due to\n a lack of entropy in the field values used. The table below\n provides a qualified best case estimate for each field value\n than can be used.\n\n +-----------------------+-----------------+--------------------------------------------------------+\n | Best Case Estimates |\n +-----------------------+-----------------+--------------------------------------------------------+\n | Field | Possible Values | Basis for Estimate |\n +-----------------------+-----------------+--------------------------------------------------------+\n | ClientAppXForm | =15 | actual number of documented application types |\n | AppPath | <=1000000 | reasonable number of distinct files on a Linux system |\n | ClientIP | <=2^24 | confined to a single class A network |\n | ClientHostname | <=63^63 | confined to 63 characters drawn from [0-9A-Za-z-] |\n | OSUser | <=1000 | reasonable number of distinct users on a Linux system |\n | AdditionalInformation | =16^40 | actual size of value |\n +-----------------------+-----------------+--------------------------------------------------------+\n\n If all fields are used, the effective key space would be:\n\n 15 * 1000000 * 2^24 * 63^63 * 1000 * 16^40\n\n or approximately 2^595. This is certainly better than 2^256,\n but it's not realistic because additional context will\n be available in the typical attack scenario: a credential\n file is found/accessed within the system/network for which\n it was originally created/deployed. With this scenario, an\n attacker will likely be able to significantly narrow the set\n of possible values for the AppPath, ClientIP, ClientHostname,\n and OSUser fields. The table below provides a more realistic\n set of estimates.\n\n +-----------------------+-----------------+--------------------------------------------------------+\n | Realistic Estimates |\n +-----------------------+-----------------+--------------------------------------------------------+\n | Field | Possible Values | Basis for Estimate |\n +-----------------------+-----------------+--------------------------------------------------------+\n | ClientAppXForm | =15 | actual number of documented application types |\n | AppPath | <=256 | limited to CyberArk components actually installed/used |\n | ClientIP | <=256 | if no direct lookup, likely to be class C or less |\n | ClientHostname | <=256 | if no direct lookup, follow site naming conventions |\n | OSUser | <=256 | reasonable number of likely users on a Linux system |\n | AdditionalInformation | =1 | value specified in credential file |\n +-----------------------+-----------------+--------------------------------------------------------+\n\n If all fields are used, the effective key space would be:\n\n 15 * 256 * 256 * 256 * 256 * 1\n\n or approximately 2^36. Note that the work factor associated\n with this key space is well within the reach of even modest\n compute power.\n\n In the case where an attacker has access to all the information\n used to derive the encryption key, the effective key space is\n reduced to one. To illustrate this point, consider the example\n credential file created using the CyberArk \"createcredfile\"\n utility, shown below.\n\n $ createcredfile example_0x003f.cred Password -Username ca_user -Password ca_pass -ExternalAuth no -AppType AppPrv -ExePath /opt/CARKaim/sdk/clipasswordsdk -IPAddress -Hostname -OSUsername os_user -DisplayRestrictions\n --- example_0x003f.cred ---\n CredFileType=Password\n CredFileVersion=2\n Username=ca_user\n VerificationsFlag=63\n Password=A9125EA93F77E5DEABB00FB822169AEAC0E5AC6EEA08FF4F90EC0361E43992B27077B73242916AE401081ACD6842D89A\n ExternalAuthentication=no\n AdditionalInformation=27653F765AE71F605833AF1A3EC96048477F133F\n ClientApp=AppPrv\n AppPath=/opt/CARKaim/sdk/clipasswordsdk\n ClientIP=192.168.1.6\n ClientHostname=krom\n OSUser=os_user\n --- example_0x003f.cred ---\n\n When SUFFIX1 and SUFFIX2 are assigned the proper values, the\n decryption utility provided in the Proof-of-Concept section\n below will decrypt example_0x003f.cred as demonstrated here:\n\n $ decrypt-cyberark-credfile.py ${SUFFIX1} ${SUFFIX2} example_0x003f.cred\n --- output ---\n SUPPLIED_VERIFICATION_FLAGS='0x003f' (63)\n REQUIRED_VERIFICATION_FLAGS='0x003f' (63)\n TARGET='Password'\n KEY='0E145BE620B42749F077294ED222C6799A2A31C88BB7528C2863AC90D5DE4A52'\n IV='A9125EA93F77E5DEABB00FB822169AEA'\n ACTUAL_PLAINTEXT_HASH='1D2BABAF7564A7291782DBC1258E5E62D8D7CBF8'\n TARGET_PLAINTEXT_HASH='1D2BABAF7564A7291782DBC1258E5E62D8D7CBF8'\n DECRYPTION_STATUS='pass'\n PASSWORD='ca_pass'\n --- output ---\n\n Note that it's not uncommon to encounter credential files\n with a VerificationsFlag value of 16 (i.e., 0x0010). This\n means that the effective key space is automatically one. The\n example below demonstrates that scenario.\n\n $ createcredfile example_0x0010.cred Password -Username ca_user -Password ca_pass\n --- example_0x0010.cred ---\n CredFileType=Password\n CredFileVersion=2\n Username=ca_user\n VerificationsFlag=16\n Password=E948B686F881DE616B2E00672B0ED39982977250CF9AD473A5C445FE240268DBC27E686B40AA5B6D204B14D6CCD56801\n ExternalAuthentication=No\n AdditionalInformation=6CF3132ECA8BD1A9F550DB18F69176EFCF8823DD\n --- example_0x0010.cred ---\n\n $ decrypt-cyberark-credfile.py ${SUFFIX1} ${SUFFIX2} example_0x0010.cred\n --- output ---\n SUPPLIED_VERIFICATION_FLAGS='0x0010' (16)\n REQUIRED_VERIFICATION_FLAGS='0x0010' (16)\n TARGET='Password'\n KEY='6BE15C6BFFF6F234E74CE46F8D510F76490778658E9B903D693A92150D64A715'\n IV='E948B686F881DE616B2E00672B0ED399'\n ACTUAL_PLAINTEXT_HASH='1D2BABAF7564A7291782DBC1258E5E62D8D7CBF8'\n TARGET_PLAINTEXT_HASH='1D2BABAF7564A7291782DBC1258E5E62D8D7CBF8'\n DECRYPTION_STATUS='pass'\n PASSWORD='ca_pass'\n --- output ---\n\n In cases where security restrictions (i.e.,\n '-DisplayRestrictions') have been enabled or certain fields\n are not represented in a given credential file, the decryption\n utility would need to be modified to brute force missing values,\n but that is relatively easy to do.\n\n [1] https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/CreateCredFile-Utility.htm\n\n\n4. Mitigation and Remediation Recommendation\n\n The vendor has released an updated version (v12.1) which\n remediates the described vulnerability. Release notes are\n available at:\n\n https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/Release%20Notes/RN-WhatsNew12-1-CPs.htm?tocpath=Get%20Started%7CWhat%E2%80%99s%20New%7CRelease%20Notes%7C_____4\n\n\n5. Credit\n\n This vulnerability was discovered by Klayton Monroe of\n KoreLogic, Inc.\n\n\n6. Disclosure Timeline\n\n 2020.11.04 - KoreLogic submits vulnerability details to\n CyberArk.\n 2020.11.05 - CyberArk acknowledges receipt and the intention\n to investigate.\n 2020.11.16 - KoreLogic and CyberArk meet to discuss the\n details of this and other reported\n vulnerabilities. Both parties agree that the\n remediation timeline will extend significantly\n longer than the standard 45 business days specified\n in the KoreLogic Public Disclosure Policy.\n 2021.01.14 - 45 business days have elapsed since the\n vulnerability was reported to CyberArk.\n 2021.01.21 - KoreLogic and CyberArk meet to discuss proposed\n remediation efforts for this and other reported\n vulnerabilities.\n 2021.03.24 - 90 business days have elapsed since the\n vulnerability was reported to CyberArk.\n 2021.04.22 - CyberArk notifies KoreLogic that the reported\n vulnerability will be mitigated in a version\n scheduled for release in late May, 2021.\n 2021.05.10 - 120 business days have elapsed since the\n vulnerability was reported to CyberArk.\n 2021.05.10 - CyberArk provides KoreLogic with the CVE for this\n vulnerability. Vendor requests KoreLogic delay\n public disclosure until the end of June, 2021.\n 2021.06.08 - KoreLogic and CyberArk meet to discuss the details\n of the product release and revisit timeline for\n public disclosure. CyberArk informs KoreLogic that\n the Linux/Windows version of the Credential\n Provider will be released at the end of June, 2021.\n A Credential Provider for the zOS platform will be\n released at the end of July, 2021. KoreLogic agrees\n to delay public disclosure of this and other\n reported vulnerabilities until 2021.08.15.\n 2021.06.23 - CyberArk releases Credential Provider v12.1 for\n Linux/Windows platforms.\n 2021.08.05 - 180 business days have elapsed since the\n vulnerability was reported to CyberArk.\n 2021.08.10 - CyberArk informs KoreLogic that the zOS Credential\n Provider update has been released to their\n customers. Requests that KoreLogic forgo\n publication of the Proof of Concept code as an\n unforseen issue prevents some customers from\n updating in the near term.\n 2021.08.27 - KoreLogic suggests delaying the release of the\n Proof of Concept until a to-be-determined future\n date.\n 2021.08.30 - CyberArk tenders 2022.01.01 release date for the\n Proof of Concept.\n 2021.09.01 - KoreLogic public disclosure.\n\n\n7. Proof of Concept\n\n At the vendor's request, KoreLogic has agreed to delay\n publication of the Proof of Concept while customers continue\n to deploy the updated versions of the product.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-01T00:00:00", "type": "korelogic", "title": "CyberArk Credential File Insufficient Effective Key Space", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31796"], "modified": "2021-09-01T00:00:00", "id": "KL-001-2021-008", "href": "https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "githubexploit": [{"lastseen": "2021-12-10T15:37:37", "description": "# C-Ark Credential Decoder\nExploit tool for **CVE-2021-31796** ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2017-04-19T06:01:08", "type": "githubexploit", "title": "Exploit for Inadequate Encryption Strength in Cyberark Credential Provider", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31796"], "modified": "2021-10-11T18:01:38", "id": "0E92F71E-A3D4-5445-A38A-BD41B5C8EFF6", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}]}
CVE-2021-31796
