SB2021090205 - Multiple vulnerabilities in CyberArk Credential Provider
Published: September 2, 2021 Updated: October 11, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Inadequate Encryption Strength (CVE-ID: CVE-2021-31796)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the effective key space used to encrypt the passwords is significantly reduced. A remote attacker can gain access to sensitive information on the target system.
2) Race condition (CVE-ID: CVE-2021-31797)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a race condition in the user identification mechanism. A remote attacker can exploit the race and disclose passwords.
3) Inadequate Encryption Strength (CVE-ID: CVE-2021-31798)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the effective key space used to encrypt the cache has low entropy. A local user can obtain the plaintext of cache files.
Remediation
Install update from vendor's website.
References
- https://www.cyberark.com/resources/blog
- https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt
- http://seclists.org/fulldisclosure/2021/Sep/1
- https://korelogic.com/Resources/Advisories/KL-001-2021-009.txt
- http://seclists.org/fulldisclosure/2021/Sep/2
- http://seclists.org/fulldisclosure/2021/Sep/3
- https://korelogic.com/Resources/Advisories/KL-001-2021-010.txt