CVE-2024-2915
📋 TL;DR
This vulnerability allows attackers with access to Devolutions Server's PAM JIT elevation feature to escalate privileges to unauthorized groups via crafted requests. It affects Devolutions Server 2024.1.6 and earlier versions. Attackers must already have some level of access to exploit this flaw.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain administrative privileges, potentially compromising the entire Devolutions Server environment and accessing all managed credentials and systems.
Likely Case
Attackers with legitimate user access could elevate to higher privilege groups, gaining unauthorized access to sensitive systems and credentials managed by the server.
If Mitigated
With proper access controls and monitoring, impact would be limited to unauthorized group access within the attacker's existing scope, with detection likely through audit logs.
🎯 Exploit Status
Exploitation requires authenticated access to the PAM JIT elevation feature, but the vulnerability itself is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.7 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0005
Restart Required: Yes
Instructions:
1. Download Devolutions Server 2024.1.7 or later from official sources. 2. Backup current configuration and data. 3. Install the update following Devolutions documentation. 4. Restart the Devolutions Server service.
🔧 Temporary Workarounds
Disable PAM JIT Elevation
allTemporarily disable the PAM JIT elevation feature to prevent exploitation while planning patching.
Navigate to Devolutions Server Admin Console > Security Settings > PAM Settings > Disable JIT Elevation
Restrict Access to PAM Features
allLimit which users and groups have access to PAM-related features.
Review and modify role-based access controls in Devolutions Server to restrict PAM feature access to essential personnel only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Devolutions Server from critical systems
- Enable detailed audit logging for all PAM JIT elevation attempts and review logs daily
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in Admin Console > About. If version is 2024.1.6 or earlier, system is vulnerable.Check Version:
In Devolutions Server Admin Console, navigate to Help > About to view version information.Verify Fix Applied:
Verify version is 2024.1.7 or later in Admin Console > About, then test PAM JIT elevation functionality with non-privileged accounts to ensure proper access controls.📡 Detection & Monitoring
Log Indicators:
- Unusual PAM JIT elevation requests
- Multiple failed elevation attempts followed by successful elevation
- User accessing groups they shouldn't have permissions for
Network Indicators:
- Unusual API calls to PAM elevation endpoints from unexpected sources
SIEM Query:
source="devolutions_server" AND (event_type="pam_elevation" OR event_type="group_change") AND result="success" AND user NOT IN [authorized_users_list]