CVE-2024-25652
📋 TL;DR
This vulnerability in Delinea PAM Secret Server allows users with 'Administer Reports' permission or those in UNLIMITED ADMIN MODE to gain unauthorized access to remote sessions created by legitimate users through the Custom Legacy Report functionality. This affects organizations using Delinea PAM Secret Server 11.4 where users have these specific permissions.
💻 Affected Systems
- Delinea PAM Secret Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with appropriate permissions could hijack active remote sessions, potentially gaining access to sensitive systems and data that legitimate users are connected to through the PAM solution.
Likely Case
Privileged users with report access could inadvertently or intentionally view and access remote sessions they shouldn't have access to, violating the principle of least privilege.
If Mitigated
With proper permission controls and monitoring, the impact is limited to authorized users who might abuse their privileges, which can be detected through audit logs.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability is in the report functionality itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in version released February 10, 2024
Vendor Advisory: https://docs.delinea.com/online-help/secret-server/release-notes/ssc-rn-2024-02-10.htm
Restart Required: Yes
Instructions:
1. Backup your Secret Server configuration and database. 2. Download the latest patch from Delinea support portal. 3. Apply the patch following Delinea's upgrade documentation. 4. Restart the Secret Server services. 5. Verify the fix by checking the version and testing report functionality.
🔧 Temporary Workarounds
Restrict Report Permissions
allTemporarily remove 'Administer Reports' permission from users who don't absolutely need it and disable UNLIMITED ADMIN MODE where possible.
Disable Custom Legacy Reports
allIf not required, disable the Custom Legacy Report functionality entirely until patched.
🧯 If You Can't Patch
- Implement strict access controls and review all users with 'Administer Reports' permission
- Enable detailed audit logging for all report access and session activities
🔍 How to Verify
Check if Vulnerable:
Check if you're running Secret Server 11.4 and review user permissions for 'Administer Reports' and UNLIMITED ADMIN MODE access.Check Version:
Check the Secret Server web interface under Administration > System Information or review the release notes in the application.Verify Fix Applied:
Verify the version is updated to the February 10, 2024 release or later, and test that users with report permissions cannot access unauthorized remote sessions.📡 Detection & Monitoring
Log Indicators:
- Unusual report generation patterns
- Users accessing reports they don't typically use
- Multiple failed attempts to access report functionality
Network Indicators:
- Increased traffic to report endpoints from unauthorized users
SIEM Query:
source="secret_server" AND (event_type="report_access" OR event_type="session_access") AND user_permission="Administer Reports"🔗 References
- https://docs.delinea.com/online-help/secret-server/admin/unlimited-administration-mode/index.htm?Highlight=unlimited%20admin
- https://docs.delinea.com/online-help/secret-server/release-notes/ssc-rn-2024-02-10.htm
- https://trust.delinea.com/
- https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25652
- https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25652
