This is a weird one. Customers of Delinea Secret Server Cloud had a mysterious outage on Friday due to a “security incident” – this was visible on a service status page:
https://medium.com/media/624e5e85022f659c8407983a4c7fdb36/href
Delinea Secret Server – also known as Thycotic Secret Server – is a privileged access management product which allows the storage and rotation of credentials. Competitors include the likes of CyberArk. It is a Crown Jewels product, designed to manage.. well, privilege access. The cloud offering is the Crown Jewels of Crown Jewels for organisations worldwide.
On Saturday they published indicators of compromise for the incident, behind a paywall:
So, what happened? I’ve confirmed they took their services offline over an incident related to the vulnerability in this blog:
“All Your Secrets Are Belong To Us” — A Delinea Secret Server AuthN/AuthZ Bypass
The vulnerability in that blog applies to Delinea Secret Server on prem – but also cloud. Over the weekend they fixed the issues highlighted. The vulnerability is serious, as it allows authentication bypass and admin access.
It appears Delinea had a process gap, because look at the disclosure timeline:
The outage timeline simply says the issue was fixed after a deployment, and that endpoints blocked have been unblocked.
Delinea say they believe no customer data was impacted.
On prem customers need to update, and cloud customers need to hope Delinea understand exactly what happened and are transparent about outcomes. For example, if nothing happened, why are there attacker indicators of compromise?
Delinea has cloud security incident in Thycotic Secret Server gaff was originally published
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: