Trust Center

Search items
ControlK

Security is built into our bones Delinea’s Privileged Access Management solutions are built with security as a foundation from the start. We adhere to industry standards and frameworks, and ensure security testing is performed as a critical component of our software development processes along with continuous Quality Assurance (QA) checks.

Our cybersecurity defense measures address key components, including intrusion detection, Distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, machine learning, and Security Operations Center. We also monitor and protect against critical web application security risks incorporating OWASP Top 10 and Automated Top 20 threats.

Encryption assured for data in transit and at rest Customer data is fully isolated and encrypted both in transit and at rest, using the AES-256 standard encryption algorithm and PBKDF2-HMAC-SHA256 hashing algorithm. Delinea uses private encryption keys for each customer, with third-party key management support (AWS KMS). Secrets are systematically “salted” before being hashed and encrypted with their own unique Initialization Vector and Key.

Connections to Delinea cloud services are protected via Transport Layer Security (TLS). Distributed Engine communications are also secured with an additional encryption key unique to each tenant.

ISO 27001

Trust Center Updates

Delinea’s Statement on CrowdStrike-Related Events

GeneralCopy link

On 19 July, operators of Microsoft Windows operating systems, which use a CrowdStrike product for endpoint protection, experienced outages as a result of a CrowdStrike product update that did not install as planned.

Delinea’s products and services are not affected by any of these outages. Delinea’s SaaS products remain operational and within SLA. Status of Delinea’s SaaS systems can be accessed 24/7 at https://status.delinea.com/.

Customers may elect to subscribe to that status page to receive updates in real-time.

Additionally, Delinea has reached out to our critical vendors and service providers and they continue to provide their services to Delinea in accordance with their agreements with Delinea.

For those customers who are users of CrowdStrike Falcon, Microsoft has created a recovery tool which is an option for enabling recovery of impacted systems. You can learn more from Microsoft at the link above. As this is a Microsoft provided tool, Delinea does not assume any responsibility or risk on behalf of our customers who decide to use this tool.

Published at N/A

Delinea's analysis of CVE-2024-39884

VulnerabilitiesCopy link

The Apache Foundation has released a critical CVE for their HTTP Server. The vulnerability is documented in CVE-2024-39884.

Delinea does not use the Apache HTTP Server to provide services. As a precaution, Delinea ran a scan of its assets to verify no traces of the Apache HTTP Server were found.

As such, Delinea is not impacted by CVE-2024-39884.

Published at N/A

CVE-2024-6387; a Race Condition was Found in OpenSSH

VulnerabilitiesCopy link
  1. Description

On July 1, 2024, researchers from Qualys disclosed a vulnerability affecting the OpenSSH server. When exploited this vulnerability can result in unauthenticated Remote Code Execution (RCE) with root privileges. This vulnerability takes advantage of a flaw in a previously patched version of OpenSSH that has now reappeared due to removal of previously patched code. As such, this vulnerability has been given the name of “regreSSHion” and is documented in CVE-2024-6387.

This vulnerability is rated high severity. Based on the information from the researchers at Qualys, the following versions are affected:

  • OpenSSH versions earlier than 4.4p1 are vulnerable unless they are patched for CVE-2006-5051 and CVE-2008-4109;
  • Versions from 8.5p1 up to, but not including, 9.8p1 due to the suspected accidental removal of previously patched code.

Delinea’s product teams continue to investigate the impact of such vulnerabilities and will take corrective action as applicable. Delinea will continue to monitor and provide timely updates as it is discovered and/or becomes available.

  1. Customer Recommendations

Customers should continue to follow their organization’s information security program. Organizations should remain vigilant for indicators in general of unauthorized access to their assets.

  1. Exposure by Application Portfolio

3.1. Account Lifecycle Manager

Not impacted

3.2. Cloud Suite and PAS

Not Impacted

3.3. Cloud Manager

Not impacted

3.4. Connection Manager

Not impacted

3.5. DevOps Secrets Vault

Not impacted

3.6. Identity Threat Detection and Response (Authomize)

Not impacted

3.7. Identity Governance and Administration (Fastpath)

The product is impacted by this vulnerability. Delinea will update those software components in the next release. In accordance with Delinea’s vulnerability management program, delivery is expected no later than August 1, 2024.

3.8. Privileged Behavior Analytics

Not impacted

3.9. Privilege Manager

Not impacted

3.10. Remote Access Service

Not impacted

3.11. Secret Server

Not impacted

3.12. Server Suite

The product is impacted by this vulnerability. Delinea will update those software components in the next release. In accordance with Delinea’s vulnerability management program, delivery is expected no later than August 1, 2024.

3.13. Web Password Filler

Not impacted

3.14. Mobile applications

Not impacted

Published at N/A*

Delinea is aware of the recent disclosure of a high-rated vulnerability involving OpenSSH. For reference the CVE is CVE-2024-6387. Delinea is currently analyzing the situation and potential impact. We will post additional information here as it becomes available.

Published at N/A*

Disclosure of CVE-2024-5865 and CVE-2024-5866

VulnerabilitiesCopy link

During a customer test of Cloud Suite, a third party discovered vulnerabilities in the application -- which are now disclosed in CVE-2024-5865 and CVE-2024-5866.

The third party approached Delinea with their findings and in collaboration with Delinea's Development and Security staff, Delinea created a remediation plan.

To remediate these vulnerabilities, Delinea released Cloud Suite version 23.1-HF7 on February 27, 2024 and Hyper Scalable Privilege Access Service (HSPAS) version 23.1-HF7 on February 19, 2024, which remediated the findings in those CVEs.

As a part of responsible disclosure, the third party allowed time for customers to upgrade before going live with the CVEs.

If HSPAS customers have not done so yet, customers should upgrade their HSPAS versions to version 23.1-HF7 at their earliest convenience. No action is required for Cloud Suite customers.

Published at N/A*

Disclosure of CVE-2024-39708

VulnerabilitiesCopy link

During a customer test of Privilege Manager, a third party discovered a vulnerability in the application. That vulnerability is now disclosed in CVE-2024-39708.

The third party approached Delinea with their findings and in collaboration with Delinea's Development and Security staff, Delinea created a remediation plan.

Delinea released a cloud update, version 12.0.1 on June 22, 2024 and agent version 12.0.1096 on July 1, 2024 which remediated the findings in that CVE.

Customers should upgrade their agent versions to version 12.0.1096 at their earliest convenience.

Published at N/A*

Delinea is Working to Become a CVE Numbering Authority (CNA)

GeneralCopy link

A Common Vulnerabilities and Exposures, more commonly known as a CVE, is a public disclosure of information security vulnerabilities. It is an important tool security practitioners can use in the management of tracking security-related concerns as they keep their assets safe.

The current CVE process is inefficient and inaccurate.

In the last two years, Delinea has experienced problematic CVEs:

  • which do not state an actual vulnerability in the software;
  • where the submitter and/or the CNA did not disclose the finding to Delinea before the CVE was published;
  • where no software, versions, exploit code, a working proof of concept, nor any other materials have been provided to Delinea at any time for analysis.

This process requires Delinea to spend valuable security resources to investigate. Ultimately, it does not advance our mission to keep information security practitioners and the public informed of potentially impactful vulnerabilities.

In order to improve management of vulnerabilities that impact Delinea products and to keep our customers and the public informed, Delinea needs to take greater control of the process. Moving forward Delinea is prioritizing the work required to become a CVE Numbering Authority (CNA). Delinea is pursuing the CNA designation in an effort to:

  • increase timeliness of getting information to the public;
  • improve the quality and accuracy of the information released to the public by ensuring it comes directly from the actual experts on Delinea’s products.

Currently, per Delinea’s Responsible Disclosure Policy, researchers who submit eligible vulnerabilities to Delinea will be assisted by our engineering team to validate the submission. When Delinea becomes a CNA for verified vulnerabilities, Delinea will assign the CVE ID to the researcher for credit.

Published at N/A*

Delinea's Response Regarding Attacks on Snowflake Customers

GeneralCopy link

Snowflake, a leading cloud-based data storage and analytics provider, has recently been subject to attacks where security threat actors have obtained credentials to Snowflake customer accounts and accessed those systems.

In Delinea’s corporate network, Delinea uses Snowflake for very limited internal research and development work. Customer data is not used in this instance. Delinea has reviewed all uses of Snowflake internally and did not find any indicators of compromise. Delinea has rotated credentials for those who access Snowflake internally.

Delinea also uses Snowflake in its Identity Governance and Administration (IGA) product to store internal application audit logs and connection logs generated by customers in the IGA platform.

Delinea has reviewed and did not find any indicators of compromise in the Snowflake account used by the IGA platform. In addition, we have reviewed our network policies and reviewed all service accounts to verify key-pair authentication is required.

Published at N/A*

Secret Server Vulnerability

VulnerabilitiesCopy link

Secret Server on premises release 11.7.2 (11.7.000002) is now available. This version corrects the encryption key used in identity token generation to prevent third party decryption and modification of the authentication token. Delinea is delivering this version to prevent any exploitation of the key identified in the Medium.com post from April 10, 2024. Delinea has not seen exploitation of this vulnerability. 11.7.2 is a preventative patch.

Delinea recommends on premises customers install version 11.7.2 at their earliest convenience.

Secret Server Cloud and Delinea Platform were automatically updated for all SaaS customers on May 3rd, 2024.

Published at N/A*

A Root Cause Analysis (RCA) of this vulnerability is now available for download for customers under Mutual Non-Disclosure Agreement (MNDA). Please see the "Documents" section towards the top of this page.

Published at N/A*

Important reminder for on premises customers.

The instructions posted on April 12, 2024 which identified changes to the web config file was an immediate response to ensure the continued secure operations of the software. However, modifying web config is considered a short term fix to mitigating exposure to the vulnerability.

The long-term, permanent fix is included in version 11.7.000001; which was made available to all on premises customers on April, 13 2024. The 11.7.000001 version addresses the SOAP endpoint vulnerability and also resolves an associated low privilege escalation (LPE) vulnerability that is related to our internal assessment.

Version 11.7.000001 contains the permanent fix to both vulnerabilities. Customers are encouraged to install 11.7.000001 at their earliest convenience, add version 11.7.000001 as the minimum version to their configuration management baseline, and ensure any images customers may maintain are updated to version 11.7.000001 as well.

Published at N/A*

The cybersecurity research community plays a key role in helping software vendors like us improve the security of their products. We appreciate the information provided by the researcher and the efforts they and CERT undertook in their attempts to notify us of the findings. We thank the researcher for their work and helpful responsible disclosure contributions. They all followed the right protocols for responsible disclosure.

Unfortunately, we made the entry into Delinea more complicated than it should have been and as such the disclosure was prevented from reaching our security team -- even though we had it internally.

We have done several things to adjust to ensure this doesn't happen again. Specifically, our recently relaunched Trust Center at http://trust.delinea.com has a clear and direct path for submission on the front page of Trust Center. We value researcher submissions and invite input openly.

We are reviewing all related process and procedures for handling responsible disclosure communications and internal reporting process; focused first on our internal customer facing teams.

We are conducting training and awareness sessions for all team members. We also welcome input on other continuous improvement measures.

Finally, trust between Delinea, our customers, and the broader security community is essential. The researcher and CERT both did their job well and we appreciate it. Delinea did not and that is our responsibility, and we are fixing that.

Published at N/A*

We have published the latest update for Secret Server On-Premises (Version 11.7.000001) that resolves this vulnerability and is available for download. Patches for prior versions with the same fix will follow as testing is completed.

Published at N/A*

This is an update regarding the critical vulnerability in the Secret Server SOAP API which could allow an attacker to bypass authentication.

Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable.

Our Engineering and Security teams have completed their research for any evidence of compromised tenant data and at this time we have found no evidence that any customer's data has been compromised and no attempts to exploit the vulnerability has occurred. As always, we are actively monitoring our service.

Published at N/A*

We became aware of a critical vulnerability in the Secret Server SOAP API which could allow an attacker to bypass authentication. The REST API was not impacted.

Delinea is actively addressing the impact of this vulnerability.

Actions we have taken thus far:

  • For Secret Server Cloud customers, this vulnerability which is limited to the SOAP endpoints is now blocked in all regions, effectively removing this exposure. This block will remain in place until Delinea can patch the service. We will continue to provide updates within your support portal.

  • Customers can use this Indicators of Compromise (IoC) guide to search for IoC's to understand clearly if an exploit has occurred.

As this is an evolving situation, Delinea's product teams will continue to assess and monitor the impact of this vulnerability, including reviewing information published and notified to us by a researcher. We will take corrective action and provide updates at trust.delinea.com.

For additional questions, please contact Support at support@delinea.com.

Published at N/A*

Delinea’s analysis of CVE-2024-3094 and recommendations to its customers.

VulnerabilitiesCopy link

Description

On 29 March 2024, Red Hat disclosed a compromise in the liblzma library used by Linux operating systems to perform general purpose data compression and provides some command line tools.

Initial reports have indicated this compromise runs on Debian or SUSE operating systems. When analyzing the script which facilitates exploitation of the compromised library, there is no call of a branded package installer which would indicate this compromise pertains to a given operating system. The only check the malicious script does before trying to perform its actions is it checks to make sure the target host is running a 64-bit operating system.

When exploited, an adversary could use the Secure Shell Protocol (SSH) to securely run commands on a targeted host.

If liblzma is a compression library and SSH is a communications protocol, then what is the relationship between the two products that facilities exploitation? First, because of integration with the OS’ system manager, the liblzma code gets initialized when the SSH service starts. Next, the malicious code replaces the RSA_public_decrypt method. RSA_public_decrypt is used to validate SSH keys. With RSA_public_decrypt compromised an adversary can obtain secure access to the targeted host.

This vulnerability is rated critical and has a legitimate CVSS score of 10. To exploit the liblzma compromise, the following must be in place:

  • A targeted host has to be running liblzma versions 5.6.0 or 5.6.1; no other versions are considered compromised
  • The adversary’s private SSH key has to be used
  • The private SSH key in question has not been found on the internet

Delinea performed a scan of systems and of the source code repository and did not find the affected library. Delinea does not have exposure to the vulnerability described in the CVE in any software that Delinea delivers as liblzma is not used. However and as with this and many other vulnerabilities, this is an evolving situation. All Delinea’s product teams will continue to assess and monitor the impact of this CVE and will take corrective action and provide updates as applicable.

Customer recommendations

On-Prem Customer recommendations

  • Customers should continue to follow their organization’s information security program. As the ability to exploit the compromised library is predicated on the very specific conditions listed above, organizations should check their inventory for affected versions of liblzma.
  • If an affected version is found, it should be downgraded to version 5.4 until a trusted version of the library greater than 5.6.1 is published.
  • Organizations should remain vigilant for indicators in general of unauthorized access to their assets.

Customer recommendations – SaaS

For SaaS products, no actions on the part of the customer are necessary. There is no impact to any of Delinea’s products or services as liblzma is not installed in the production environment.

Exposure by Application Portfolio

There is no impact to any of Delinea’s products or services as liblzma is not used by delivered software.

Published at N/A*

If you need help using this Trust Center, please contact us.

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo