CVE-2024-5866
📋 TL;DR
This path traversal vulnerability in Delinea Centrify PAS allows attackers to list arbitrary directories outside the web application's root directory. It affects versions before 23.1-HF7, potentially exposing sensitive system files and configuration data. Organizations using vulnerable versions of this privileged access management solution are at risk.
💻 Affected Systems
- Delinea Centrify Privileged Access Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate sensitive system files, configuration files, password files, or other critical data stored on the server, potentially leading to credential theft or further system compromise.
Likely Case
Unauthorized directory listing exposing file names and directory structures that could be used for reconnaissance and planning further attacks.
If Mitigated
Limited information disclosure with no direct access to file contents, though directory structure exposure still provides valuable reconnaissance data.
🎯 Exploit Status
Path traversal vulnerabilities typically require minimal technical skill to exploit once the vulnerability vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.1-HF7 and later versions
Vendor Advisory: https://github.com/klsecservices/Advisories/blob/master/K-Delinea-2023-002.md
Restart Required: Yes
Instructions:
1. Download the latest patched version (23.1-HF7 or later) from Delinea support portal. 2. Backup current configuration and data. 3. Install the update following Delinea's upgrade documentation. 4. Restart the Centrify PAS services. 5. Verify the installation was successful.
🔧 Temporary Workarounds
Web Application Firewall Rules
allImplement WAF rules to block path traversal patterns and directory traversal attempts
WAF-specific configuration commands vary by vendor
Network Segmentation
allRestrict access to Centrify PAS web interface to trusted networks only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="443" accept'
netsh advfirewall firewall add rule name="Centrify PAS Access" dir=in action=allow protocol=TCP localport=443 remoteip=TRUSTED_NETWORK
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can reach the Centrify PAS web interface
- Deploy a web application firewall with rules specifically designed to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check Centrify PAS version via web interface or command line. If version is earlier than 23.1-HF7, the system is vulnerable.Check Version:
On Centrify PAS server: centrifydc status | grep Version or check web interface administration panelVerify Fix Applied:
After patching, verify the version shows 23.1-HF7 or later and test that directory traversal attempts are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple failed attempts to access directories with ../ patterns
- Unusual directory listing requests
- Requests for known sensitive file paths
Network Indicators:
- HTTP requests containing ../ or ..\ patterns
- Multiple directory enumeration attempts from single source
SIEM Query:
source="centrify_logs" AND (http_uri="*../*" OR http_uri="*..\\*")