CVE-2020-11846
📋 TL;DR
This vulnerability in OpenText Privileged Access Manager allows attackers to gain unrestricted access to all application resources after obtaining a token. The issue occurs when a cookie is improperly set upon token issuance, effectively bypassing all authorization controls. This affects all Privileged Access Manager installations before version 3.7.0.1.
💻 Affected Systems
- OpenText Privileged Access Manager (formerly NetIQ Privileged Account Manager)
📦 What is this software?
Netiq Privileged Access Manager by Microfocus
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Privileged Access Manager system, allowing attackers to access, modify, or delete all privileged credentials and access controls managed by the system.
Likely Case
Unauthorized access to sensitive privileged accounts and credentials, potentially leading to lateral movement and privilege escalation across the enterprise network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized connections to the Privileged Access Manager interface.
🎯 Exploit Status
The vulnerability requires no authentication and appears to be straightforward to exploit based on the description. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.0.1
Vendor Advisory: https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html
Restart Required: Yes
Instructions:
1. Download version 3.7.0.1 from OpenText support portal. 2. Backup current configuration and data. 3. Apply the update following vendor documentation. 4. Restart all Privileged Access Manager services. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the Privileged Access Manager web interface to only authorized administrative networks and IP addresses.
Web Application Firewall Rules
allImplement WAF rules to block suspicious token/cookie manipulation attempts.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Privileged Access Manager from all non-essential systems
- Enable detailed logging and monitoring for all access to the Privileged Access Manager interface
🔍 How to Verify
Check if Vulnerable:
Check the Privileged Access Manager version in the web interface admin panel or via system configuration files.Check Version:
Check web interface or consult vendor documentation for version verification commands specific to your installation.Verify Fix Applied:
Verify the version shows 3.7.0.1 or later in the admin interface and test that token issuance no longer sets unrestricted access cookies.📡 Detection & Monitoring
Log Indicators:
- Unusual token issuance patterns
- Access from unauthorized IP addresses to admin functions
- Multiple failed login attempts followed by successful token access
Network Indicators:
- Unusual HTTP requests to token endpoints
- Traffic patterns suggesting cookie manipulation
SIEM Query:
source="privileged_access_manager" AND (event="token_issued" OR event="cookie_set") AND user="unknown"