Critical Code Execution Flaw Found in CyberArk Enterprise Password Vault

A critical remote code execution vulnerability has been discovered in CyberArk Enterprise Password Vault application that could allow an attacker to gain unauthorized access to the system with the privileges of the web application.

Enterprise password manager (EPV) solutions help organizations securely manage their sensitive passwords, controlling privileged accounts passwords across a wide range of client/server and mainframe operating systems, switches, databases, and keep them safe from external attackers, as well as malicious insiders.

Discovered by German cybersecurity firm RedTeam Pentesting GmbH, the vulnerability affects one of such Enterprise Password Vault apps designed by CyberArk—a password management and security tool that manages sensitive passwords and controls privileged accounts.

The vulnerability (CVE-2018-9843) resides in CyberArk Password Vault Web Access, a .NET web application created by the company to help its customers access their accounts remotely.

The flaw is due to the way web server unsafely handle deserialization operations, which could allow attackers to execute code on the server processing the deserialized data.

According to the researchers, when a user logs in into his account, the application uses REST API to send an authentication request to the server, which includes an authorization header containing a serialized .NET object encoded in base64.

This serialized .NET object holds the information about a user’s session, but researchers found that the “integrity of the serialized data is not protected.”

Since the server does not verify the integrity of the serialized data and unsafely handles the deserialization operations, attackers can merely manipulate authentication tokens to inject their malicious code into the authorization header, gaining “unauthenticated, remote code execution on the web server.”

Researchers have also released a full proof-of-concept code to demonstrate the vulnerability using ysoserial.net, an open source tool for generating payloads for .NET applications performing unsafe deserialization of objects.

The technical details of the vulnerability and exploit code came only after RedTeam responsibly reported the vulnerability to CyberArk and the company rolled out patched versions of the CyberArk Password Vault Web Access.

Enterprises using CyberArk Password Vault Web Access are highly recommended to upgrade their software to version 9.9.5, 9.10 or 10.2.

In case you cannot immediately upgrade your software, the possible workaround to mitigate this vulnerability is disabling any access to the API at the route / PasswordVault / WebServices.