Executive Summary
A vulnerability was recently discovered in Conjur that makes it theoretically possible for an unauthenticated attacker to acquire an API key through a brute force attack.
Affected Software
Conjur – all versions through 1.9.0 (fixed in 1.9.0).
Detailed Explanation
This vulnerability makes it theoretically possible for an unauthenticated attacker, through a brute force attack involving a very large number of authentication API calls, to eventually acquire an API key. For such an attack to be successful, the attacker must first obtain a valid user or host defined in the policy. The attack would leave a trail of failed authentication attempts in the Conjur logs.
If an attacker successfully obtained the API key, the attacker could then authenticate as the compromised user or host. In particular, if the admin user is compromised the attacker can gain admin privileges to Conjur.
CVSS Score
This issue is scored as 8.7 (High).
Recommendations
CyberArk recommends all customers upgrade to version 1.9.0 as soon as practical.
If you suspect you have been compromised, rotate all your API keys immediately. See here for instructions. As a best practice, you should rotate all your API keys regularly.
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please email us at [email protected].
Executive Summary
A vulnerability was recently discovered in Conjur that makes it theoretically possible for an unauthenticated attacker to acquire an API key through a brute force attack.
Affected Software
Conjur – all versions through 1.9.0 (fixed in 1.9.0).
Detailed Explanation
This vulnerability makes it theoretically possible for an unauthenticated attacker, through a brute force attack involving a very large number of authentication API calls, to eventually acquire an API key. For such an attack to be successful, the attacker must first obtain a valid user or host defined in the policy. The attack would leave a trail of failed authentication attempts in the Conjur logs.
If an attacker successfully obtained the API key, the attacker could then authenticate as the compromised user or host. In particular, if the admin user is compromised the attacker can gain admin privileges to Conjur.
CVSS Score
This issue is scored as 8.7 (High).
Recommendations
CyberArk recommends all customers upgrade to version 1.9.0 as soon as practical.
If you suspect you have been compromised, rotate all your API keys immediately. See here for instructions. As a best practice, you should rotate all your API keys regularly.
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please email us at [email protected].