Security Advisory - CyberArk User Enumeration - Multiple vulnerabilities ======================================================================== Summary : CyberArk Vault was found prone to multiple user enumeration/harvesting vulnerabilities. Date : 1 August 2013 Affected versions : All Vault versions prior to 7.20.37 (SIMS v7.6) CVSSv2 Rating : 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE references : CVE-2012-6344, CVE-2012-6345 Details ================ Cyber-Ark Software, Inc. is an information security company that develops and markets digital vaults, based on their vaulting technology for securing and managing privileged passwords and privileged identities (PIM), and sensitive information within and across enterprise networks. Cyber-Ark’s technology is deployed worldwide – primarily in the Financial Services, Energy, Retail, and Healthcare enterprises. (en.wikipedia.org/wiki/Cyber-Ark) Cyber-Ark Vault is providing customers with infrastructure for digital vaults, hernessing encryption and authorization capabilities along with user-interface that allows management and vault interaction for clients. Comsec Consulting have identified several vulnerabilities that a utilization of them lead to user enumeration over the targeted system. [CVE-2012-6344]: When requesting access to a vault on the server the user is asked to provide credentials (user/pass combination), while prompting same error over present user used with bad password and simply user doesn’t exist, none the less it is still possible to determine present users on the system by analyzing the network traffic by employing statistical analysis over packets' length. During our tests we have observed around 1 to 8 packet size ratio when comparing non- existent user login tryout to an existent one. [CVE-2012-6345]: Packets involving wrong username contains trailing null characters with some minor different bytes whilst a correct user with bad password will result with encoded message without the necessary trailing null characters. A returned output sample that is to be expected from an existent user tryout: ..SNIP... 000000B0 8b 61 14 0c 4b c0 08 c4 00 e2 75 12 bf dc df 00 .a..K... ..u..... 000000C0 28 30 be 0d 00 00 00 00 00 00 00 00 00 00 00 00 (0...... ........ 000000D0 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ........ ........ 000000E0 00 00 00 00 00 00 00 00 00 ........ . ..END OF COMMUNICATION... One can notice the trailing null bytes at the end of the packet exchange. Impact ================ By exploiting one of the weaknesses described above an attacker can harvest available usernames on the vault server which can be used in conjuction with password brute-force attack or, for example, phishing/spam purposes. This vector of attack is mainly used in recon information garthering scenarios, leading an attacker to an legitimate user names residing in server or domain connected to it. By successfully exploiting the achieved list of users, one can escalate privileges with mainly by password brute force and social engineering techniques. Proof of Concept ================ Proof of concept was presented to the vendor and is ommited from here on purpose. Solution ================ Official update for Vault - v7.2 was released which according to vendor fixes the vulnerabilities described. Credits ================ The issue was responsibly reported to the vendor by Moshe Zioni from Comsec Global Consulting. Timeline ================= April 2013 Vendor releasing official fix with credit in release notes 17 December 2012 Bug varification notice by vendor 12 December 2012 Re-request vendor's response 1 November 2012 Request vendor's response 16 October 2012 Bug details provided following vendor's request 15 October 2012 First response from vendor - request for details 14 October 2012 Bug reported by Moshe Zioni from Comsec Global Consulting References ================= Cyber-Ark http://www.cyber-ark.com/ Comsec Global Consulting http://www.comsecglobal.com/