CVE-2023-5240 – This vulnerability allows attackers with permis... (How to Fix)

Q: What is the severity of CVE-2023-5240?

CVE-2023-5240 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers with permission to manage PAM propagation scripts in Devolutions Server to retrieve stored passwords via a GET request. It affects Devolutions Server 2023.2.8.0 and earlier versions. Attackers need existing access to manage PAM scripts to exploit this flaw.

📋 TL;DR

This vulnerability allows attackers with permission to manage PAM propagation scripts in Devolutions Server to retrieve stored passwords via a GET request. It affects Devolutions Server 2023.2.8.0 and earlier versions. Attackers need existing access to manage PAM scripts to exploit this flaw.

💻 Affected Systems

Products:

Devolutions Server

Versions: 2023.2.8.0 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where PAM propagation scripts are used and users have permission to manage these scripts.

📦 What is this software?

Devolutions Server by Devolutions

View all CVEs affecting Devolutions Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all passwords stored in PAM propagation scripts, potentially leading to lateral movement and full system compromise.

🟠

Likely Case

Unauthorized access to sensitive passwords stored in PAM scripts, enabling privilege escalation and credential theft.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though passwords remain at risk if scripts contain them.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, exposed instances could be targeted by authenticated attackers.

🏢 Internal Only: HIGH - Internal attackers with PAM script management permissions can easily exploit this to steal credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with PAM script management permissions. Simple GET request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.2.9.0 or later

Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2023-0017

Restart Required: Yes

Instructions:

1. Backup your Devolutions Server configuration. 2. Download and install Devolutions Server version 2023.2.9.0 or later from the official website. 3. Restart the Devolutions Server service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict PAM Script Management Permissions

all

Limit user permissions to only trusted administrators who require PAM script management access.

Audit PAM Script Content

all

Review and remove any sensitive passwords stored directly in PAM propagation scripts.

🧯 If You Can't Patch

Implement strict access controls to limit who can manage PAM propagation scripts
Monitor and audit all access to PAM script management interfaces

🔍 How to Verify

Check if Vulnerable:

Check Devolutions Server version in administration console. If version is 2023.2.8.0 or earlier, system is vulnerable.

Check Version:

Check version in Devolutions Server administration interface under System Information

Verify Fix Applied:

Verify Devolutions Server version is 2023.2.9.0 or later in administration console.

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests to PAM script endpoints
Multiple failed authentication attempts followed by successful PAM script access

Network Indicators:

HTTP GET requests to PAM script management endpoints from unauthorized users

SIEM Query:

source="devolutions-server" AND (uri_path="/api/pam/scripts" OR uri_path CONTAINS "pam") AND http_method="GET" AND response_status=200

📊 Metadata

CVE ID: CVE-2023-5240

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

Published: October 13, 2023

Last Updated: November 21, 2024

🔗 References

https://devolutions.net/security/advisories/DEVO-2023-0017 Vendor Advisory
https://devolutions.net/security/advisories/DEVO-2023-0017 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5240, you might also want to check these: