what you don't know can hurt you

CyberArk Vault User Enumeration

CyberArk Vault User Enumeration
Posted Aug 29, 2013
Authored by Moshe Zioni

CyberArk Vault versions prior to 7.20.37 suffer from multiple user enumeration vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2012-6344, CVE-2012-6345
MD5 | 06201c391ac04c150480f7dcaa738d48

CyberArk Vault User Enumeration

Change Mirror Download
Security Advisory - CyberArk User Enumeration - Multiple vulnerabilities
========================================================================
Summary : CyberArk Vault was found prone to multiple user
enumeration/harvesting vulnerabilities.
Date : 1 August 2013
Affected versions : All Vault versions prior to 7.20.37 (SIMS v7.6)
CVSSv2 Rating : 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE references : CVE-2012-6344, CVE-2012-6345

Details
================
Cyber-Ark Software, Inc. is an information security company that develops and
markets digital vaults, based on their vaulting technology for securing and
managing privileged passwords and privileged identities (PIM), and sensitive
information within and across enterprise networks. Cyber-Ark’s technology is
deployed worldwide – primarily in the Financial Services, Energy, Retail, and
Healthcare enterprises. (en.wikipedia.org/wiki/Cyber-Ark)

Cyber-Ark Vault is providing customers with infrastructure for digital vaults,
hernessing encryption and authorization capabilities along with user-interface
that allows management and vault interaction for clients.

Comsec Consulting have identified several vulnerabilities that a utilization
of them lead to user enumeration over the targeted system.

[CVE-2012-6344]:
When requesting access to a vault on the server the user is asked to provide
credentials (user/pass combination), while prompting same error over present
user used with bad password and simply user doesn’t exist, none the less it is
still possible to determine present users on the system by analyzing the network
traffic by employing statistical analysis over packets' length. During our
tests we have observed around 1 to 8 packet size ratio when comparing non-
existent user login tryout to an existent one.

[CVE-2012-6345]:
Packets involving wrong username contains trailing null characters with some
minor different bytes whilst a correct user with bad password will result with
encoded message without the necessary trailing null characters.

A returned output sample that is to be expected from an existent user tryout:

..SNIP...
000000B0 8b 61 14 0c 4b c0 08 c4 00 e2 75 12 bf dc df 00 .a..K... ..u.....
000000C0 28 30 be 0d 00 00 00 00 00 00 00 00 00 00 00 00 (0...... ........
000000D0 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ........ ........
000000E0 00 00 00 00 00 00 00 00 00 ........ .
..END OF COMMUNICATION...

One can notice the trailing null bytes at the end of the packet exchange.

Impact
================
By exploiting one of the weaknesses described above an attacker can harvest
available usernames on the vault server which can be used in conjuction with
password brute-force attack or, for example, phishing/spam purposes.

This vector of attack is mainly used in recon information garthering scenarios,
leading an attacker to an legitimate user names residing in server or domain
connected to it. By successfully exploiting the achieved list of users, one
can escalate privileges with mainly by password brute force and social
engineering techniques.

Proof of Concept
================

Proof of concept was presented to the vendor and is ommited from here on
purpose.

Solution
================
Official update for Vault - v7.2 was released which according to vendor fixes
the vulnerabilities described.

Credits
================
The issue was responsibly reported to the vendor by Moshe Zioni from Comsec
Global Consulting.

Timeline
=================
April 2013
Vendor releasing official fix with credit in release notes
17 December 2012
Bug varification notice by vendor
12 December 2012
Re-request vendor's response
1 November 2012
Request vendor's response
16 October 2012
Bug details provided following vendor's request
15 October 2012
First response from vendor - request for details
14 October 2012
Bug reported by Moshe Zioni from Comsec Global Consulting

References
=================
Cyber-Ark
http://www.cyber-ark.com/

Comsec Global Consulting
http://www.comsecglobal.com/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2015

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    2 Files
  • 2
    Feb 2nd
    17 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    16 Files
  • 5
    Feb 5th
    14 Files
  • 6
    Feb 6th
    4 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2015 Packet Storm. All rights reserved.

close