CVE-2024-54840
📋 TL;DR
This vulnerability in CyberArk's Password Vault Web Access (PVWA) allows attackers to perform Host header injection attacks when environment issues are present. It affects CyberArk Privileged Access Manager Self-Hosted installations before version 14.4. Attackers could potentially manipulate HTTP Host headers to conduct web cache poisoning, password reset poisoning, or other server-side request forgery attacks.
💻 Affected Systems
- CyberArk Privileged Access Manager Self-Hosted
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect password reset emails to malicious domains, intercept sensitive credentials, or manipulate server-side requests to internal systems.
Likely Case
Web cache poisoning leading to user redirection to malicious sites or manipulation of password reset functionality.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and input validation controls in place.
🎯 Exploit Status
Proof of concept available in public gist, but requires specific environment conditions to be met for successful exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.4
Vendor Advisory: https://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-4.htm#Securitybugfixes
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download CyberArk PAM Self-Hosted version 14.4 from CyberArk support portal. 3. Follow CyberArk's official upgrade documentation for your specific deployment. 4. Apply the update to all affected PVWA components. 5. Restart services as required by the upgrade process.
🔧 Temporary Workarounds
Host Header Validation
allConfigure web server or application firewall to validate and sanitize Host headers
Environment Hardening
allEnsure proper environment configuration and remove any misconfigurations that could enable exploitation
🧯 If You Can't Patch
- Implement strict Host header validation at the web application firewall or reverse proxy level
- Monitor for suspicious Host header manipulation attempts in web server logs
🔍 How to Verify
Check if Vulnerable:
Check CyberArk PAM version via PVWA interface or system configuration files. Versions below 14.4 are vulnerable.Check Version:
Check PVWA web interface or consult CyberArk documentation for version verification commands specific to your deployment.Verify Fix Applied:
Confirm version is 14.4 or higher in PVWA interface and test Host header manipulation attempts are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values in web server logs
- Multiple failed authentication attempts with manipulated headers
- Suspicious redirect patterns
Network Indicators:
- HTTP requests with malformed Host headers
- Unusual outbound connections from PVWA servers
SIEM Query:
source="web_server_logs" AND (Host:*malicious* OR Host:*unusual* OR Host:*manipulated*)