An authentication bypass vulnerability in the RDP component of One Identity Safeguard for Privileged Sessions allows man-in-the-middle attackers to obtain unencrypted information to access privileged sessions on target resources.
This vulnerability is identified by CVE-2024-40595.
原因
Connection setup for the RDP protocol includes several message exchanges between the client computer and the SPS appliance. It was discovered during an internal audit that under certain configurations, a sensitive piece of information was transferred from the client to SPS in plain text. A man-in-the-middle attacker can intercept this message and use the information to bypass authentication and get access to the victim’s target resource via a monitored session in SPS.
解决办法
Resolution
Upgrade to a patched version now available for download:
Authentication bypass is only practical when a credential store (e.g. Safeguard for Privileged Passwords) is configured in the connection policy. Otherwise, the attacker must perform a second authentication step at the target resource.
It is not possible to perform the attack invisibly, because the vulnerable sensitive information can only be used once, and only within a fixed time window. The attacker can not mount an attack without a victim performing the gateway authentication first.
The attacker might get access to a single session, which is recorded and monitored by SPS.
The attacker can not set the details of the obtained session. The target server and the account is determined by the victim’s connection and the SPS configuration only.
The integrity of the SPS appliance is not affected by this vulnerability.
Other supported protocols than RDP are not affected by this vulnerability.