Delinea confirmed April 15 that there was a vulnerability in Delinea Platform and Secret Server Cloud that is now patched.
In an email statement to SC Media, Delinea said it has provided a remediation guide for its on-premises customers to fix the vulnerability.
“Our engineering and security teams have conducted reviews for any evidence of compromised tenant data,” said a spokesperson for Delinea. “At this time, we have found no evidence that any customer’s data has been compromised and no attempts to exploit the vulnerability has occurred.”
Security pros said organizations with on-premises installations of Delinea Secret Server Cloud should update them immediately. If left unpatched, the vulnerability — a flaw in the SOAP API — could let attackers bypass authentication, gain administrative access, and extract secrets.
“The vulnerability's exploitation would bypass authentication entirely, essentially allowing attackers to bypass security measures and access privileged credentials,” said Sarah Jones, cyber threat intelligence research analyst at Critical Start.
Jones said with these privileged credentials in hand, attackers gain significant control over the network. They could leverage this access to move laterally across the network, progressively gaining access to more systems and data, said Jones.
“Additionally, they could escalate their privileges to the highest level, granting them complete administrative control,” said Jones. “This level of access could be used to deploy malware for data theft, disrupt operations, or launch crippling ransomware attacks. In essence, this vulnerability represents a significant security breach waiting to happen, potentially leading to a complete network compromise.”
Nick Rago, vice president of product strategy at Salt Security, added that an API authentication bypass would essentially not just let a threat actor obtain keys to the castle, but potentially to every door, drawer, and closet inside the castle.
“While Delinea claims to have patched its cloud-based service, it’s up to its on-premise customers to take the time to upgrade/patch their systems to protect against this threat,” said Rago. “Attackers are well aware that most organizations do not have API security solutions protecting their internal API assets. So, this scenario is one where an attacker would easily be able to stay slow and low under the radar, and evade detection, while exfiltrating secrets.”
Thomas Siu, chief information security officer at Inversion6, pointed out that the attackers in the MGM Grand ransomware attack gained undetected access to the casino's PAM service, which enhanced the attcker's ability to spread malware using administrator accounts to take control of core IT services.
“The twist to this case is that after Delinea has patched the service, customers can use it to quickly and thoroughly rotate all of their login credentials if they suspect any loss of data,” said Siu.
