CyberArk password manager bug allowed remote control execution

Attackers leverage web application flaw to compromise Password Vault

A remote code execution (RCE) vulnerability was discovered in a password manager that enabled unauthorized parties to gain entry via the web access application.

The flaw, found in CyberArk’s Enterprise Password Vault, was related to the web application, which allows users to access their accounts remotely.

Attackers were able to inject malicious code which could then be executed by the password vault.

This access could have also been used to create a backdoor, compromising other accounts.

The bug – named CVE-2018-9843 – was discovered during a routine pen test by German firm RedTeam Pentesting GmbH.

The attack takes advantage of a coding error - the deserialization of untrusted data.

RedTeam Pentesting told The Daily Swig: “This vulnerability pertains to the CyberArk REST API. Attackers can craft a manipulated authorization header, containing malicious commands.

“These commands are then executed by the Password Vault Web Access system.



“By exploiting this vulnerability, attackers could, for example, manipulate the Password Vault Web Access web application to gain access to credentials of users of the application or systems managed through the software suite.”

This type of vulnerability has been heavily exploited in recent years, particularly against Java and PHP targets.

But other languages are affected - including .Net that Cyber Ark uses.

Researchers deployed an exploit tool called ysoserial.net in order to generate a malicious payload that would highlight the vulnerabilities of the software.

RCE vulnerabilities are among the most serious - they can extract confidential data on the system, perform unauthorized modifications and destroy data.

They can also take steps to hide their intrusion, and maintain an ongoing presence.

Even if the original vulnerability is fixed, a skilled attacker could continue to remotely control the system.

Another flaw discovered by the researchers at RedTeam Pentesting showed how sensitive data, such as the passwords stored in the vault, could potentially be accessed by a third party.

RedTeam Pentesting added: “This vulnerability allows attackers, who can communicate with the Vault system, to retrieve a small chunk of the Vault system's memory.


“Since sensitive data, such as passwords, stored in the Vault most likely passes through the RAM, it could potentially be accessed.


“The memory also contains, for example, database query strings and local file paths related to CyberArk Password Vault software.”

CyberArk has since issued a patch which is available here, and tweeted: “The security of our customers is of utmost importance to CyberArk.

“We want to thank RedTeam Pentesting GmbH for their responsible disclosure. Once informed, we took immediate action to verify the risk and alerted customers to download a patch to mitigate.”

RedTeam Pentesting, in turn, described CyberArk’s response as “professional and timely”.