Security Advisory - CyberArk User Enumeration - Multiple vulnerabilities
Summary : CyberArk Vault was found prone to multiple user
Date : 1 August 2013
Affected versions : All Vault versions prior to 7.20.37 (SIMS v7.6)
CVSSv2 Rating : 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE references : CVE-2012-6344, CVE-2012-6345
Cyber-Ark Software, Inc. is an information security company that develops and
markets digital vaults, based on their vaulting technology for securing and
managing privileged passwords and privileged identities (PIM), and sensitive
information within and across enterprise networks. Cyber-Arks technology is
deployed worldwide primarily in the Financial Services, Energy, Retail, and
Healthcare enterprises. (en.wikipedia.org/wiki/Cyber-Ark)
Cyber-Ark Vault is providing customers with infrastructure for digital vaults,
hernessing encryption and authorization capabilities along with user-interface
that allows management and vault interaction for clients.
Comsec Consulting have identified several vulnerabilities that a utilization
of them lead to user enumeration over the targeted system.
When requesting access to a vault on the server the user is asked to provide
credentials (user/pass combination), while prompting same error over present
user used with bad password and simply user doesnt exist, none the less it is
still possible to determine present users on the system by analyzing the network
traffic by employing statistical analysis over packets' length. During our
tests we have observed around 1 to 8 packet size ratio when comparing non-
existent user login tryout to an existent one.
Packets involving wrong username contains trailing null characters with some
minor different bytes whilst a correct user with bad password will result with
encoded message without the necessary trailing null characters.
A returned output sample that is to be expected from an existent user tryout:
000000B0 8b 61 14 0c 4b c0 08 c4 00 e2 75 12 bf dc df 00 .a..K... ..u.....
000000C0 28 30 be 0d 00 00 00 00 00 00 00 00 00 00 00 00 (0...... ........
000000D0 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ........ ........
000000E0 00 00 00 00 00 00 00 00 00 ........ .
..END OF COMMUNICATION...
One can notice the trailing null bytes at the end of the packet exchange.
By exploiting one of the weaknesses described above an attacker can harvest
available usernames on the vault server which can be used in conjuction with
password brute-force attack or, for example, phishing/spam purposes.
This vector of attack is mainly used in recon information garthering scenarios,
leading an attacker to an legitimate user names residing in server or domain
connected to it. By successfully exploiting the achieved list of users, one
can escalate privileges with mainly by password brute force and social
Proof of Concept
Proof of concept was presented to the vendor and is ommited from here on
Official update for Vault - v7.2 was released which according to vendor fixes
the vulnerabilities described.
The issue was responsibly reported to the vendor by Moshe Zioni from Comsec
Vendor releasing official fix with credit in release notes
17 December 2012
Bug varification notice by vendor
12 December 2012
Re-request vendor's response
1 November 2012
Request vendor's response
16 October 2012
Bug details provided following vendor's request
15 October 2012
First response from vendor - request for details
14 October 2012
Bug reported by Moshe Zioni from Comsec Global Consulting
Comsec Global Consulting