Multiple vulnerabilities in CyberArk Password Vault Web Access



Published: 2018-04-10 | Updated: 2018-04-13
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2018-9843
CVE-2018-9842
CWE-ID CWE-502
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe 		Password Vault Web Access
Web applications / Remote management & hosting panels

Vendor CyberArk

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Deserialization of untrusted data

EUVDB-ID: #VU11665

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-9843

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use of authentication tokens which consist of serialized .NET objects. A remote attacker can submit specially crafted tokens, trigger deserialization of untrusted data and execute arbitrary code with privileges of the web application.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 9.9.5, 9.10.1, 10.2.

Vulnerable software versions

Password Vault Web Access: All versions

External links

http://www.redteam-pentesting.de/de/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Information disclosure

EUVDB-ID: #VU11826

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-9842

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper information control. A remote attacker can send a specially crafted Logon request to cause the target service to return a response containing 49 bytes of potentially sensitive information from system memory.

Mitigation

Update to versions 9.7 or 10.

Vulnerable software versions

Password Vault Web Access: 9.5

External links

http://www.redteam-pentesting.de/advisories/rt-sa-2017-015


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###