Return
-
Title
CVE-2024-40595 Authentication Bypass Vulnerability -
Description
An authentication bypass vulnerability in the RDP component of One Identity Safeguard for Privileged Sessions allows man-in-the-middle attackers to obtain unencrypted information to access privileged sessions on target resources.
This vulnerability is identified by CVE-2024-40595. -
Cause
Connection setup for the RDP protocol includes several message exchanges between the client computer and the SPS appliance. It was discovered during an internal audit that under certain configurations, a sensitive piece of information was transferred from the client to SPS in plain text. A man-in-the-middle attacker can intercept this message and use the information to bypass authentication and get access to the victim’s target resource via a monitored session in SPS.
-
Resolution
Resolution
Upgrade to a patched version now available for download:
For SPS 7.0.5.1 LTS is available for Download HereFor SPS 7.5.1 is available for Download Here
Impacted Versions- All LTS before 7.0.5.1
- All feature versions before 7.5.1
Further details and mitigation factors:
- Authentication bypass is only practical when a credential store (e.g. Safeguard for Privileged Passwords) is configured in the connection policy. Otherwise, the attacker must perform a second authentication step at the target resource.
- It is not possible to perform the attack invisibly, because the vulnerable sensitive information can only be used once, and only within a fixed time window. The attacker can not mount an attack without a victim performing the gateway authentication first.
- The attacker might get access to a single session, which is recorded and monitored by SPS.
- The attacker can not set the details of the obtained session. The target server and the account is determined by the victim’s connection and the SPS configuration only.
- The integrity of the SPS appliance is not affected by this vulnerability.
- Other supported protocols than RDP are not affected by this vulnerability.
-
Change Request
339857 -
Additional Information
There is no known exploitation of this issue.