Vulnerability in CyberArk Enterprise Password Vault application

According to thehackernews, RedTeam Pentesting GmbH, a German network security company, discovered that there is a serious remote code execution vulnerability (CVE-2018-9843) in the CyberArk Enterprise Password Vault application. This flaw could allow attackers to exploit Web application and gain unauthorized access to the system with the privileges of the web application.

Enterprise Password Vault (EPV) is a .NET web application created by the company to help organizations securely manage their sensitive passwords, control privileged account passwords in various client/server and mainframe operating systems, switches, databases, and protect them from outside attackers and malicious Insider threats.

The irony is that the vulnerability resides in CyberArk Password Vault Web Access. It is caused by the way the Web server handles the deserialization operation insecurely and may allow the attacker to process the deserialized data server. Execute the code on the server processing the deserialized data.

According to the researchers, when a user logs in into his account, the application uses REST API to send an authentication request to the server, which includes an authorization header containing a serialized .NET object encoded in base64.

This serialized .NET object holds the information about a user’s session, but researchers found that the “integrity of the serialized data is not protected.” The attacker manipulates the authentication token and injects their malicious code into the authorization header, and the server does not verify the integrity of the serialized data, thus obtaining “not on the Web server, verified code execution”

Researchers strongly recommend companies if they can mitigate this vulnerability and disable any access to the API on route / PasswordVault / WebServices. In another case to upgrade the software CyberArk password.