Trust Center

Secret Server on premises release 11.7.2 (11.7.000002) is now available. This version corrects the encryption key used in identity token generation to prevent third party decryption and modification of the authentication token. Delinea is delivering this version to prevent any exploitation of the key identified in the Medium.com post from April 10, 2024. Delinea has not seen exploitation of this vulnerability. 11.7.2 is a preventative patch.

Delinea recommends on premises customers install version 11.7.2 at their earliest convenience.

Secret Server Cloud and Delinea Platform were automatically updated for all SaaS customers on May 3rd, 2024.

A Root Cause Analysis (RCA) of this vulnerability is now available for download for customers under Mutual Non-Disclosure Agreement (MNDA). Please see the "Documents" section towards the top of this page.

Important reminder for on premises customers.

The instructions posted on April 12, 2024 which identified changes to the web config file was an immediate response to ensure the continued secure operations of the software. However, modifying web config is considered a short term fix to mitigating exposure to the vulnerability.

The long-term, permanent fix is included in version 11.7.000001; which was made available to all on premises customers on April, 13 2024. The 11.7.000001 version addresses the SOAP endpoint vulnerability and also resolves an associated low privilege escalation (LPE) vulnerability that is related to our internal assessment.

Version 11.7.000001 contains the permanent fix to both vulnerabilities. Customers are encouraged to install 11.7.000001 at their earliest convenience, add version 11.7.000001 as the minimum version to their configuration management baseline, and ensure any images customers may maintain are updated to version 11.7.000001 as well.

The cybersecurity research community plays a key role in helping software vendors like us improve the security of their products. We appreciate the information provided by the researcher and the efforts they and CERT undertook in their attempts to notify us of the findings. We thank the researcher for their work and helpful responsible disclosure contributions. They all followed the right protocols for responsible disclosure.

Unfortunately, we made the entry into Delinea more complicated than it should have been and as such the disclosure was prevented from reaching our security team -- even though we had it internally.

We have done several things to adjust to ensure this doesn't happen again. Specifically, our recently relaunched Trust Center at http://trust.delinea.com has a clear and direct path for submission on the front page of Trust Center. We value researcher submissions and invite input openly.

We are reviewing all related process and procedures for handling responsible disclosure communications and internal reporting process; focused first on our internal customer facing teams.

We are conducting training and awareness sessions for all team members. We also welcome input on other continuous improvement measures.

Finally, trust between Delinea, our customers, and the broader security community is essential. The researcher and CERT both did their job well and we appreciate it. Delinea did not and that is our responsibility, and we are fixing that.

We have published the latest update for Secret Server On-Premises (Version 11.7.000001) that resolves this vulnerability and is available for download. Patches for prior versions with the same fix will follow as testing is completed.

This is an update regarding the critical vulnerability in the Secret Server SOAP API which could allow an attacker to bypass authentication.

Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable.

Our Engineering and Security teams have completed their research for any evidence of compromised tenant data and at this time we have found no evidence that any customer's data has been compromised and no attempts to exploit the vulnerability has occurred. As always, we are actively monitoring our service.

We became aware of a critical vulnerability in the Secret Server SOAP API which could allow an attacker to bypass authentication. The REST API was not impacted.

Delinea is actively addressing the impact of this vulnerability.

Actions we have taken thus far:

• For Secret Server Cloud customers, this vulnerability which is limited to the SOAP endpoints is now blocked in all regions, effectively removing this exposure. This block will remain in place until Delinea can patch the service. We will continue to provide updates within your support portal.

• Customers can use this Indicators of Compromise (IoC) guide to search for IoC's to understand clearly if an exploit has occurred.

As this is an evolving situation, Delinea's product teams will continue to assess and monitor the impact of this vulnerability, including reviewing information published and notified to us by a researcher. We will take corrective action and provide updates at trust.delinea.com.

For additional questions, please contact Support at support@delinea.com.

Description

On 29 March 2024, Red Hat disclosed a compromise in the liblzma library used by Linux operating systems to perform general purpose data compression and provides some command line tools.

Initial reports have indicated this compromise runs on Debian or SUSE operating systems. When analyzing the script which facilitates exploitation of the compromised library, there is no call of a branded package installer which would indicate this compromise pertains to a given operating system. The only check the malicious script does before trying to perform its actions is it checks to make sure the target host is running a 64-bit operating system.

When exploited, an adversary could use the Secure Shell Protocol (SSH) to securely run commands on a targeted host.

If liblzma is a compression library and SSH is a communications protocol, then what is the relationship between the two products that facilities exploitation? First, because of integration with the OS’ system manager, the liblzma code gets initialized when the SSH service starts. Next, the malicious code replaces the RSA_public_decrypt method. RSA_public_decrypt is used to validate SSH keys. With RSA_public_decrypt compromised an adversary can obtain secure access to the targeted host.

This vulnerability is rated critical and has a legitimate CVSS score of 10. To exploit the liblzma compromise, the following must be in place:

• A targeted host has to be running liblzma versions 5.6.0 or 5.6.1; no other versions are considered compromised
• The adversary’s private SSH key has to be used
• The private SSH key in question has not been found on the internet

Delinea performed a scan of systems and of the source code repository and did not find the affected library. Delinea does not have exposure to the vulnerability described in the CVE in any software that Delinea delivers as liblzma is not used. However and as with this and many other vulnerabilities, this is an evolving situation. All Delinea’s product teams will continue to assess and monitor the impact of this CVE and will take corrective action and provide updates as applicable.

Customer recommendations

On-Prem Customer recommendations

• Customers should continue to follow their organization’s information security program. As the ability to exploit the compromised library is predicated on the very specific conditions listed above, organizations should check their inventory for affected versions of liblzma.
• If an affected version is found, it should be downgraded to version 5.4 until a trusted version of the library greater than 5.6.1 is published.
• Organizations should remain vigilant for indicators in general of unauthorized access to their assets.

Customer recommendations – SaaS

For SaaS products, no actions on the part of the customer are necessary. There is no impact to any of Delinea’s products or services as liblzma is not installed in the production environment.

Exposure by Application Portfolio

There is no impact to any of Delinea’s products or services as liblzma is not used by delivered software.