A critical vulnerability in Delinea Secret Server allows auth bypass, admin access

Organizations with on-prem installations of Delinea Secret Server are urged to update them immediately, to plug a critical vulnerability that may allow attackers to bypass authentication, gain admin access and extract secrets.

Fixing the Delinea Secret Server SOAP API vulnerability

Delinea Secret Server (formerly Thycotic Secret Server) is a privileged access management (PAM) solution “for the modern, hybrid enterprise”. Among other things, PAM solutions can automate the provisioning and deprovisioning of privileged accounts, as well as secure remote access.

On its Service Status page, Delinea announced on Friday (April 12) that it was investigating a security concern/incident.

On Saturday, the company explained that they were aware of the vulnerability in the Secret Server SOAP API and were dealing with the situation by blocking SOAP endpoints for Secret Server Cloud customers, until they can patch the cloud service – which they did on the same day.

“Our Engineering and Security teams have completed their research for any evidence of compromised tenant data and at this time we have found no evidence that any customer’s data has been compromised and no attempts to exploit the vulnerability has occurred,” the company added.

On Sunday, Delinea released Secret Server On-Premises (Version 11.7.000001), which fixes the flaw, and promised patches for prior versions as soon as testing is completed.

The company has also released a guide customers using on-prem versions of the solution can use to check whether the vulnerability has been exploited by attackers.

It includes queries to create custom Secret Server reports that will show whether the vulnerable service/endpoint has been accessed, and especially whether it has been accessed from an IP address that has never logged-in as that user and resulted in the retrieval of secrets.

“Any access over Webservices will result in an audit record. Please investigate any secrets with atypical audit history or patterns: confirm if any Secret Server user is using the old Secret Server mobile application, and investigate the IP address, time of access, and users accessing secrets recorded on the audit record,” Delinea advised.

Vulnerability info, PoC exploit are public

Security researcher Kevin Beaumont said that Friday’s temporary unavailability of Delinea’s Secret Server Cloud was due to a blog post published by security engineer Johnny Yu on Wednesday (April 10).

In it, Yu outlined:

• His research into the Secret Server application and his discovery of the vulnerability
• A PoC exploit to create a “Golden” token that allows attackers to gain admin access and grab stored secrets
• His attempts to get Delinea to acknowledge and fix the problem

Unfortunately, it took him publishing information about the vulnerability to trigger action.