CVE-2024-2921
📋 TL;DR
This vulnerability allows authenticated users with PAM access in Devolutions Server to bypass permission controls and view unauthorized PAM entries. It affects all Devolutions Server deployments running version 2024.1.10.0 or earlier. Attackers can exploit this to access sensitive credentials and secrets they shouldn't have permission to view.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all PAM-stored credentials, allowing lateral movement, privilege escalation, and data exfiltration across the entire environment.
Likely Case
Unauthorized access to sensitive credentials and secrets, potentially leading to account compromise and limited lateral movement within the PAM system.
If Mitigated
Limited exposure if strict network segmentation and minimal user permissions are already implemented, though some credential exposure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access to the PAM system but is straightforward once authenticated. No special tools or advanced techniques are needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.11.0 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0005
Restart Required: Yes
Instructions:
1. Download Devolutions Server 2024.1.11.0 or later from the official Devolutions website
2. Backup your current configuration and database
3. Run the installer to upgrade your existing installation
4. Restart the Devolutions Server service
5. Verify the upgrade completed successfully
🔧 Temporary Workarounds
Temporary PAM Access Restriction
allTemporarily disable or restrict PAM access for all non-essential users while waiting for patch deployment
# Use Devolutions Server management console to modify user permissions
# Remove PAM access from users who don't absolutely need it
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Devolutions Server from other critical systems
- Enable detailed audit logging for all PAM access attempts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check the Devolutions Server version in the administration console or via the web interface. If version is 2024.1.10.0 or earlier, the system is vulnerable.Check Version:
# In Devolutions Server web interface, navigate to Administration > AboutVerify Fix Applied:
After patching, verify the version shows 2024.1.11.0 or later in the administration console. Test PAM permissions with a test user to ensure proper access controls are enforced.📡 Detection & Monitoring
Log Indicators:
- Multiple failed permission checks followed by successful PAM entry access
- Users accessing PAM entries outside their normal permission scope
- Unusual patterns of PAM entry access from authenticated users
Network Indicators:
- Increased traffic to PAM endpoints from authenticated users
- Unusual patterns of credential retrieval
SIEM Query:
source="devolutions-server" AND (event_type="pam_access" OR event_type="permission_violation") AND result="success" AND user_permissions NOT CONTAINS accessed_resource