CVE-2021-31797 – CyberArk Credential Provider Race Condition / Authorization Bypass
https://notcve.org/view.php?id=CVE-2021-31797
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure. El mecanismo de identificación de usuarios usado por CyberArk Credential Provider versiones anteriores a 12.1, es susceptible a una condición de carrera del host local, conllevando a una divulgación de contraseña CyberArk's Credential Provider loopback communications on TCP port 18923 are encrypted with key material that has extremely low entropy. In all currently-known use cases, the effective key space is less than 2^16. For an attacker who understands the key derivation scheme and encryption mechanics, knowledge of the source port and access to the payloads of a given client-server exchange are sufficient to reduce effective key space to one. In cases where the source port is not known, the encrypted payloads will be unable to withstand a brute force attack. • http://packetstormsecurity.com/files/164033/CyberArk-Credential-Provider-Race-Condition-Authorization-Bypass.html http://seclists.org/fulldisclosure/2021/Sep/2 https://korelogic.com/Resources/Advisories/KL-001-2021-009.txt https://www.cyberark.com/resources/blog • CWE-331: Insufficient Entropy CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2021-37151
https://notcve.org/view.php?id=CVE-2021-37151
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords. CyberArk Identity versión 21.5.131, cuando maneja un intento de autenticación no válido, a veces revela si el nombre de usuario es válido. • https://www.cyberark.com/products https://www.gov.il/en/departments/faq/cve_advisories • CWE-203: Observable Discrepancy •
CVE-2020-25738
https://notcve.org/view.php?id=CVE-2020-25738
CyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows attackers to bypass a Credential Theft protection mechanism by injecting a DLL into a process that normally has credential access, such as a Chrome process that reads credentials from a SQLite database. CyberArk Endpoint Privilege Manager (EPM) versión 11.1.0.173, permite a atacantes omitir un mecanismo de protección contra robo de credenciales inyectando una DLL en un proceso que normalmente presenta acceso de credenciales, tal y como un proceso de Chrome que lee unas credenciales desde una base de datos SQLite • https://gist.github.com/inc0d3/47294c1e73ef8cbdc098e739d086efbc https://www.cyberark.com/resources/blog/introducing-cyberark-endpoint-privilege-manager • CWE-427: Uncontrolled Search Path Element •
CVE-2020-25374
https://notcve.org/view.php?id=CVE-2020-25374
CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. CyberArk Privileged Session Manager (PSM) versión 10.9.0.15, permite a atacantes detectar rutas de acceso internas mediante la lectura de un mensaje emergente de error después de dos horas de inactividad • https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20SysReq/System%20Requirements%20-%20PSM.htm https://medium.com/%40virajmota38/full-path-disclosure-8a9358e5a867 • CWE-613: Insufficient Session Expiration •
CVE-2020-4062 – Improper Access Control in Conjur OSS Helm Chart
https://notcve.org/view.php?id=CVE-2020-4062
In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. • https://github.com/cyberark/conjur-oss-helm-chart/commit/2dab801ed4ab591c626fc6674f306fcf0d004c1e https://github.com/cyberark/conjur-oss-helm-chart/security/advisories/GHSA-mg2m-623j-wpxw • CWE-284: Improper Access Control •