CVE-2022-29081 Access-control bypass is possible on a few Rest API URLs: SSOutAction, SSLAction, LicenseMgr, and GetProductDetails.

Access to these APIs could be leveraged by attackers to access sensitive information stored in PAM user profiles. For example, attackers could monitor keystrokes entered into a web form and then extract login credentials to other systems when users click the “Sign in” button on the target site. On PAM360, attackers could also monitor PAM user profile information to discover sensitive information such as passwords and then leverage that information to access other systems via password spraying. PAM360 user profile access is also possible via the ../RestAPI substring. Access to these APIs could be leveraged by attackers to access sensitive information stored in PAM user profiles. For example, attackers could monitor keystrokes entered into a web form and then extract login credentials to other systems when users click the “Sign in” button on the target site. On PAM360, attackers could also monitor PAM user profile information to discover sensitive information such as passwords and then leverage that information to access other systems via password spraying. PAM360 user profile access is also possible via the ../RestAPI substring. To mitigate access-control bypass vulnerabilities, we recommend that users upgrade to PAM360, PAM Access Manager, or PAM Password Manager Plus version 4304 or later. PAM360, PAM Access Manager, and PAM Password Manager Plus have been patched to address this issue

PAM 360

, PAM Access Manager, and PAM Password Manager Plus
PAM360 is a web-based Single Sign On (SSO) solution that provides privileged access to multiple applications. It allows users to sign in once from any device or location and have access to multiple systems. In addition, PAM360 supports digital identity management and single sign on across all devices via the use of a digital ID token.

Summary of Patching Recommendations

PAM360, PAM Access Manager, and PAM Password Manager Plus have been patched to address this issue. For the best protection against this issue, upgrade to PAM360, PAM Access Manager, or PAM Password Manager Plus version 4304 or later.

Access to the /pam/users API could be leveraged by attackers to access sensitive information stored in PAM user profiles.

On PAM360, attackers could also monitor PAM user profile information to discover sensitive information such as passwords and then leverage that information to access other systems via password spraying.

Access to protected API functionality

The vulnerability allows attackers to bypass access-control mechanisms and gain access to protected APIs. Attackers could monitor keystrokes entered into a web form and then extract login credentials to other systems when users click the “Sign in” button on the target site. On PAM360, attackers could also monitor PAM user profile information to discover sensitive information such as passwords and then leverage that information to access other systems via password spraying. PAM360 user profile access is also possible via the ../RestAPI substring. To mitigate this vulnerability, we recommend that users upgrade to PAM360, PAM Access Manager, or PAM Password Manager Plus version 4304 or later.

CVE-2022-29089

To mitigate access-control bypass vulnerabilities, we recommend that users upgrade to PAM360, PAM Access Manager, or PAM Password Manager Plus version 4304 or later. PAM360, PAM Access Manager, and PAM Password Manager Plus have been patched to address this issue

Timeline

Published on: 04/28/2022 20:15:00 UTC
Last modified on: 05/10/2022 12:29:00 UTC

References

• https://www.tenable.com/security/research/tra-2022-14
• https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29081