CVE-2024-12196
📋 TL;DR
This vulnerability allows authenticated users in Devolutions Server to view password history entries without proper authorization. Attackers with valid credentials can access sensitive password history data they shouldn't have permission to see. This affects all Devolutions Server deployments running version 2024.3.7.0 or earlier.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could systematically extract historical passwords for all entries, potentially compromising credentials across the entire environment and enabling lateral movement.
Likely Case
Malicious insiders or compromised accounts could access password history for specific entries they target, potentially recovering previously used credentials.
If Mitigated
With proper access controls and monitoring, unauthorized access attempts would be detected and logged, limiting exposure to targeted entries.
🎯 Exploit Status
Exploitation requires valid user credentials but no special technical skills - just API or UI access to view password history.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.8.0 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0017
Restart Required: Yes
Instructions:
1. Backup your Devolutions Server configuration and database. 2. Download and install Devolutions Server 2024.3.8.0 or later from the official website. 3. Run the installer and follow upgrade prompts. 4. Restart the Devolutions Server service. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Password History Feature
allTemporarily disable password history functionality to prevent unauthorized access to historical passwords.
Navigate to Administration > Security Settings > Password History and disable the feature
Restrict User Permissions
allReview and tighten user permissions, ensuring only necessary users have access to sensitive entries.
Review user permissions in Administration > Users and adjust access controls
🧯 If You Can't Patch
- Implement strict access controls and monitor all password history access attempts
- Enable detailed logging and set up alerts for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in Administration > About. If version is 2024.3.7.0 or earlier, the system is vulnerable.Check Version:
Check version in Administration > About section of Devolutions Server web interfaceVerify Fix Applied:
After patching, verify version is 2024.3.8.0 or later in Administration > About. Test that users without view password permission cannot access password history.📡 Detection & Monitoring
Log Indicators:
- Failed authorization attempts for password history access
- Successful password history queries from users without proper permissions
- Unusual patterns of password history access
Network Indicators:
- API calls to password history endpoints from unauthorized users
- Increased traffic to password-related endpoints
SIEM Query:
source="devolutions-server" AND (event_type="password_history_access" OR api_endpoint="/api/password/history") AND user_permission!="view_password"