Security is built into our bones Delinea’s Privileged Access Management solutions are built with security as a foundation from the start. We adhere to industry standards and frameworks, and ensure security testing is performed as a critical component of our software development processes along with continuous Quality Assurance (QA) checks.
Our cybersecurity defense measures address key components, including intrusion detection, Distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, machine learning, and Security Operations Center. We also monitor and protect against critical web application security risks incorporating OWASP Top 10 and Automated Top 20 threats.
Encryption assured for data in transit and at rest Customer data is fully isolated and encrypted both in transit and at rest, using the AES-256 standard encryption algorithm and PBKDF2-HMAC-SHA256 hashing algorithm. Delinea uses private encryption keys for each customer, with third-party key management support (AWS KMS). Secrets are systematically “salted” before being hashed and encrypted with their own unique Initialization Vector and Key.
Connections to Delinea cloud services are protected via Transport Layer Security (TLS). Distributed Engine communications are also secured with an additional encryption key unique to each tenant.
Documents
During a customer test of Privilege Manager, a third party discovered vulnerabilities in the application -- which are now disclosed in CVE-2024-52926.
The third party approached Delinea with their findings and in collaboration with Delinea's Development and Security staff, Delinea created a remediation plan in accordance with our responsible disclosure policy.
The vulnerability existed in the Privilege Manager Agent where a non-administrative user could escalate their rights if Privilege Manager had previously elevated a process in that user’s session.
Delinea patched the SaaS instance on September 28, 2024 and released a patch for the on-premises version on October 11, 2024. The time between those release dates and publishing the CVE allows for customers to upgrade before going live with the disclosure.
If operators of this software have not yet installed version 12.0.2153, which remediates the vulnerability, they should do so at their earliest convenience.
On 19 July, operators of Microsoft Windows operating systems, which use a CrowdStrike product for endpoint protection, experienced outages as a result of a CrowdStrike product update that did not install as planned.
Delinea’s products and services are not affected by any of these outages. Delinea’s SaaS products remain operational and within SLA. Status of Delinea’s SaaS systems can be accessed 24/7 at https://status.delinea.com/.
Customers may elect to subscribe to that status page to receive updates in real-time.
Additionally, Delinea has reached out to our critical vendors and service providers and they continue to provide their services to Delinea in accordance with their agreements with Delinea.
For those customers who are users of CrowdStrike Falcon, Microsoft has created a recovery tool which is an option for enabling recovery of impacted systems. You can learn more from Microsoft at the link above. As this is a Microsoft provided tool, Delinea does not assume any responsibility or risk on behalf of our customers who decide to use this tool.
The Apache Foundation has released a critical CVE for their HTTP Server. The vulnerability is documented in CVE-2024-39884.
Delinea does not use the Apache HTTP Server to provide services. As a precaution, Delinea ran a scan of its assets to verify no traces of the Apache HTTP Server were found.
As such, Delinea is not impacted by CVE-2024-39884.
- Description
On July 1, 2024, researchers from Qualys disclosed a vulnerability affecting the OpenSSH server. When exploited this vulnerability can result in unauthenticated Remote Code Execution (RCE) with root privileges. This vulnerability takes advantage of a flaw in a previously patched version of OpenSSH that has now reappeared due to removal of previously patched code. As such, this vulnerability has been given the name of “regreSSHion” and is documented in CVE-2024-6387.
This vulnerability is rated high severity. Based on the information from the researchers at Qualys, the following versions are affected:
- OpenSSH versions earlier than 4.4p1 are vulnerable unless they are patched for CVE-2006-5051 and CVE-2008-4109;
- Versions from 8.5p1 up to, but not including, 9.8p1 due to the suspected accidental removal of previously patched code.
Delinea’s product teams continue to investigate the impact of such vulnerabilities and will take corrective action as applicable. Delinea will continue to monitor and provide timely updates as it is discovered and/or becomes available.
- Customer Recommendations
Customers should continue to follow their organization’s information security program. Organizations should remain vigilant for indicators in general of unauthorized access to their assets.
- Exposure by Application Portfolio
3.1. Account Lifecycle Manager
Not impacted
3.2. Cloud Suite and PAS
Not Impacted
3.3. Cloud Manager
Not impacted
3.4. Connection Manager
Not impacted
3.5. DevOps Secrets Vault
Not impacted
3.6. Identity Threat Detection and Response (Authomize)
Not impacted
3.7. Identity Governance and Administration (Fastpath)
The product is impacted by this vulnerability. Delinea will update those software components in the next release. In accordance with Delinea’s vulnerability management program, delivery is expected no later than August 1, 2024.
3.8. Privileged Behavior Analytics
Not impacted
3.9. Privilege Manager
Not impacted
3.10. Remote Access Service
Not impacted
3.11. Secret Server
Not impacted
3.12. Server Suite
The product is impacted by this vulnerability. Delinea will update those software components in the next release. In accordance with Delinea’s vulnerability management program, delivery is expected no later than August 1, 2024.
3.13. Web Password Filler
Not impacted
3.14. Mobile applications
Not impacted
Delinea is aware of the recent disclosure of a high-rated vulnerability involving OpenSSH. For reference the CVE is CVE-2024-6387. Delinea is currently analyzing the situation and potential impact. We will post additional information here as it becomes available.
During a customer test of Cloud Suite, a third party discovered vulnerabilities in the application -- which are now disclosed in CVE-2024-5865 and CVE-2024-5866.
The third party approached Delinea with their findings and in collaboration with Delinea's Development and Security staff, Delinea created a remediation plan.
To remediate these vulnerabilities, Delinea released Cloud Suite version 23.1-HF7 on February 27, 2024 and Hyper Scalable Privilege Access Service (HSPAS) version 23.1-HF7 on February 19, 2024, which remediated the findings in those CVEs.
As a part of responsible disclosure, the third party allowed time for customers to upgrade before going live with the CVEs.
If HSPAS customers have not done so yet, customers should upgrade their HSPAS versions to version 23.1-HF7 at their earliest convenience. No action is required for Cloud Suite customers.
If you need help using this Trust Center, please contact us.
If you think you may have discovered a vulnerability, please send us a note.