CVE-2024-10971
📋 TL;DR
This vulnerability allows authenticated users in Devolutions DVLS to bypass intended access controls and view password history data they shouldn't have permission to access. It affects all users with any level of authentication in DVLS versions 2024.3.6 and earlier. The flaw exists in the password history feature's permission validation.
💻 Affected Systems
- Devolutions Virtual Lab Server (DVLS)
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could access sensitive password history data across the entire DVLS deployment, potentially compromising credentials for critical systems stored in the password manager.
Likely Case
Authenticated users can view password history entries they shouldn't have permission to see, leading to unauthorized access to credential information for systems they're not authorized to access.
If Mitigated
With proper access controls and monitoring, impact is limited to potential credential exposure for systems where the user already has some level of access.
🎯 Exploit Status
Exploitation requires authenticated access. The vulnerability is in permission validation logic, making it relatively straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.7 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0015/
Restart Required: Yes
Instructions:
1. Download DVLS version 2024.3.7 or later from Devolutions website. 2. Backup current DVLS configuration and database. 3. Run the installer to upgrade to the patched version. 4. Restart DVLS services.
🔧 Temporary Workarounds
Disable Password History Feature
allTemporarily disable the password history feature to prevent exploitation while planning upgrade.
Navigate to DVLS Admin Panel > Security Settings > Password History > Disable
Restrict User Access
allImplement strict access controls and review all authenticated user permissions.
Review and adjust user permissions in DVLS Admin Panel > User Management
🧯 If You Can't Patch
- Implement network segmentation to isolate DVLS from critical systems
- Enable detailed audit logging for all password history access attempts
🔍 How to Verify
Check if Vulnerable:
Check DVLS version in Admin Panel > About. If version is 2024.3.6 or earlier, system is vulnerable.Check Version:
In DVLS web interface, navigate to Admin Panel > About sectionVerify Fix Applied:
After upgrade, verify version is 2024.3.7 or later in Admin Panel > About. Test that authenticated users cannot access password history beyond their permissions.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to password history API endpoints
- Multiple failed permission checks followed by successful password history access
Network Indicators:
- HTTP requests to /api/passwordhistory endpoints from unauthorized user contexts
SIEM Query:
source="dvls" AND (uri_path="/api/passwordhistory" OR event_description="password history access") AND user_permission_level="low"