One Identity reports critical flaw and patch in Safeguard for Privileged Passwords
Take action: If you are running One Identity’s Safeguard for Privileged Passwords appliance on VMware or Hyperv, patch IMMEDIATELY. Attackers can craft a cookie to access it immediately. Don't rely on firewall rules and isolation, the system needs to be accessible to your workforce to be useful, so if anyone's endpoint is compromised with something else, your unpatched appliance can be attacked.
Learn More
A critical authentication bypass vulnerability, has been identified in One Identity’s Safeguard for Privileged Passwords (SPP).
Safeguard for Privileged Passwords is a tool that secures and automates the management of privileged passwords.
- The vulnerability tracked as CVE-2024-45488 (CVSS score 9.8) arises from a hard-coded cryptographic key in SPP virtual appliance images, which allows attackers to forge session cookies and bypass authentication. This can result in unauthorized administrative access to the appliance. The flaw is known as a “Skeleton Cookie” vulnerability.
- If the default backup encryption setting is used (which relies on a hardcoded RSA key), attackers can also download and decrypt appliance backups, potentially compromising additional sensitive data.
- Since the cryptographic key is hardcoded, an attacker with administrative access to any appliance will be able to extract it and then reuse it to craft credential cookies for any other application. Even more, it may be possible to reuse the credentials from one appliance to any other.
Affected Versions are Safeguard for Privileged Passwords hosted on VMware or HyperV. The deployments on physical appliances and those hosted in Azure, AWS, OCI, or other officially supported cloud platforms are not affected.
- Safeguard for Privileged Passwords 7.0.5.1 LTS
- Safeguard for Privileged Passwords 7.4.2
- Safeguard for Privileged Passwords 7.5.2
Detection
AmberWolf researchers, who initially discovered and disclosed this vulnerability, have also provided a detection script that users can use to verify whether their instance is vulnerable to exploitation. Additionally, the researchers have published a technical write-up detailing the vulnerability and demonstrating the attack through a video.
Recommendations
- Immediate Upgrade: All users running vulnerable virtual appliances on VMware or HyperV are strongly advised to update to one of the patched versions as soon as possible.
- Check Vulnerability: Use the detection script released by AmberWolf researchers to ensure that your system is not vulnerable.
- Backup Security: Ensure that the appliance is not configured to use default backup encryption settings to mitigate the risk of backup data being compromised.
