CVE-2024-45488: Skeleton Cookie Vulnerability Exposes Safeguard for Privileged Passwords to Full Administrative Access
On September 17, 2024, researchers from Amber Wolf Security uncovered a significant authentication bypass vulnerability in One Identity’s Safeguard for Privileged Passwords product. Assigned CVE-2024-45488, the vulnerability, dubbed "Skeleton Cookie,"
Introduction
On September 17, 2024, researchers from Amber Wolf Security uncovered a significant authentication bypass vulnerability in One Identity’s Safeguard for Privileged Passwords product. Assigned CVE-2024-45488, the vulnerability, dubbed "Skeleton Cookie," allows an attacker to gain full administrative access to the virtual appliance, potentially leading to the extraction of privileged passwords and even remote code execution (RCE). This article delves into the technical details of the exploit and provides essential information for mitigating this critical security flaw.
Report Overview
Safeguard for Privileged Passwords, a solution by One Identity (a subsidiary of Quest Software), is designed to automate and secure privileged credential management with role-based access control. Available as a hardened appliance, hybrid, or cloud deployment, it’s often a critical part of an organization’s security infrastructure. The Skeleton Cookie vulnerability, however, poses a serious risk by allowing unauthorized access via an authentication bypass.
The vulnerability was discovered during a routine security assessment by Amber Wolf Security. The team identified that session cookies within the Safeguard for Privileged Passwords interface were susceptible to decryption and manipulation through Microsoft's DPAPI (Data Protection API) technology. This opened a pathway for attackers to generate their own session cookies, bypass authentication, and assume administrative privileges.
The vulnerability arises from how Safeguard handles session cookies after login. Upon a successful login, the server returns a session cookie named stsIdentity0, which is encrypted using DPAPI. However, the encryption lacks the use of additional entropy, meaning that anyone with access to a valid DPAPI key can generate their own session cookie and have it decrypted by the system.
Amber Wolf Security detailed their process of setting a breakpoint on the TryDecryptCookie function within the .NET executable rsts.exe. By examining the decrypted cookie structure, they discovered that Safeguard for Privileged Passwords did not utilize additional entropy in encrypting session cookies. As a result, attackers with knowledge of the DPAPI key could encrypt their own cookies and bypass authentication altogether.
The root cause of the issue lies in the implementation of Microsoft’s DPAPI encryption in Safeguard's code. The ProtectedData.Unprotect method used to decrypt cookies specifies the DataProtectionScope.CurrentUserparameter, which should limit decryption to the current user. However, Amber Wolf researchers demonstrated that this protection scope could be bypassed, allowing attackers to manipulate the cookies using master DPAPI keys.
Once authenticated, attackers could extract sensitive data such as privileged passwords stored in managed accounts and even escalate to RCE through Safeguard's backup and restore functionalities.
Insights and Analysis
This vulnerability has severe implications for organizations using Safeguard for Privileged Passwords. Successful exploitation of CVE-2024-45488 allows attackers to assume full administrative control of the virtual appliance. This could lead to the theft of sensitive credentials, the compromise of other systems, and long-term persistence within the network.
Worse yet, if the appliance's backup is configured using the default hardcoded RSA key, attackers could extract and decrypt backup files, gaining access to an organization's entire credential repository. If an attacker achieves RCE, they could execute arbitrary commands on the system, further escalating the impact of the attack.
Preventative Measures: One Identity has acknowledged the vulnerability and is working on a patch for their Safeguard product. In the meantime, organizations should take immediate steps to mitigate the risk:
- Update to the Latest Version: Ensure you are running the latest version of Safeguard for Privileged Passwords. When the patch for version 8.0 is released, apply it promptly.
- Backup Encryption: Review your backup encryption settings and ensure you are using strong encryption such as GPG keys or a unique password, rather than the default RSA key.
- Limit Access: Restrict administrative access to the virtual appliance to only necessary personnel and ensure robust monitoring of privileged access.
Conclusion
CVE-2024-45488 represents a significant security risk for any organization relying on One Identity’s Safeguard for Privileged Passwords. The Skeleton Cookie vulnerability showcases how a misimplementation of DPAPI encryption can open the door to full administrative access and potential remote code execution. Organizations are urged to take immediate action to protect their systems while awaiting the official patch from One Identity.
Stay vigilant and regularly review your privileged access management systems to ensure they remain secure.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| No specific Indicators of Compromise (IOCs) were provided in the source material. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Valid Accounts | T1078 | Use of legitimate credentials to gain access to the system. |
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548.002 | Bypass of elevation control mechanisms, like DPAPI, to escalate privileges. |
| Persistence | Valid Accounts | T1078 | Use of valid credentials to maintain persistent access. |
| Credential Access | Unsecured Credentials | T1552.002 | Extracting credentials through unprotected or weakly encrypted storage. |
| Impact | Data Destruction | T1485 | Manipulating or destroying data, such as password stores or configuration. |
| Defense Evasion | Impair Defenses: Exploitation for Defense Evasion | T1211 | Exploiting vulnerabilities to bypass security controls or checks. |
Comments ()