Summary: A newly identified vulnerability in One Identity Safeguard for Privileged Sessions (SPS) allows attackers to bypass authentication and gain unauthorized access to privileged sessions via the RDP component. The flaw, tracked as CVE-2024-40595, affects all LTS versions prior to 7.0.5.1 and all feature versions before 7.5.1, necessitating immediate updates from affected organizations.
Threat Actor: Man-in-the-middle attackers | man-in-the-middle attackers
Victim: One Identity Safeguard for Privileged Sessions users | One Identity Safeguard for Privileged Sessions
Key Point :
- The vulnerability allows attackers to obtain unencrypted information during the RDP connection setup, leading to potential unauthorized access to privileged sessions.
- It is not possible to perform the attack invisibly, as the sensitive information can only be used once within a fixed time window and is monitored by SPS.
- Organizations are urged to upgrade to the latest patched versions to mitigate the risks associated with this vulnerability.
A newly disclosed vulnerability in One Identity Safeguard for Privileged Sessions (SPS) could allow attackers to bypass authentication and gain unauthorized access to privileged sessions. The vulnerability, tracked as CVE-2024-40595, affects the RDP component of SPS and stems from the transmission of sensitive information in plain text during the connection setup process.
According to One Identity, “an authentication bypass vulnerability in the RDP component of One Identity Safeguard for Privileged Sessions allows man-in-the-middle attackers to obtain unencrypted information to access privileged sessions on target resources.” The issue arises during the connection setup for RDP, where a sensitive piece of information is exchanged in plain text between the client and the SPS appliance.
This vulnerability affects all LTS versions of SPS prior to 7.0.5.1 and all feature versions before 7.5.1. While the potential for unauthorized access is concerning, One Identity has emphasized that the attack cannot be carried out invisibly. “It is not possible to perform the attack invisibly, because the vulnerable sensitive information can only be used once, and only within a fixed time window,” the advisory notes. The exploit is also restricted to a single session that is recorded and monitored by SPS, and the attacker cannot alter the session details, meaning that the target server and account remain fixed according to the victim’s connection.
The vulnerability primarily affects systems that use a credential store, such as Safeguard for Privileged Passwords, as part of the connection policy. Without this configuration, attackers would still need to complete a second authentication step at the target resource, limiting the practicality of the attack. However, in environments where this setup is present, attackers could gain access to privileged sessions in monitored environments.
Additionally, other supported protocols besides RDP are unaffected, and the integrity of the SPS appliance itself remains uncompromised.
One Identity strongly advises all customers to upgrade to the latest patched versions immediately. By applying the patch, organizations can ensure that their privileged sessions are safeguarded against potential exploitation of CVE-2024-40595.