CVE-2018-9842
published 2018-04-12CVE-2018-9842: CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message.
PriorityP343medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
14.12%
96.1th percentile
CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyberark | password_vault | < 9.7 | 9.7 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000
- →Monitor for repeated inbound TCP connections to port 1858 (CyberArk proprietary protocol) from unexpected or external sources, especially replayed identical logon messages with no variation. ↗
- →Alert on high-frequency repeated logon requests to TCP/1858 from a single source IP; the exploit loops 110 iterations sending the same logon packet to harvest memory across multiple responses. ↗
- →Inspect vault responses on TCP/1858 for memory disclosure: leaked process memory appears starting at offset 0xe0 in the server reply, identifiable by readable SQL-like strings such as 'vault_file_categories_records'. ↗
- →The exploit sends a 'Logon' RPC command (0=Logon at offset 0x97 of the packet) with username 'PacliScriptUser'; detect this specific username in logon traffic to TCP/1858 from untrusted hosts. ↗
- ·The exploit requires only network-level access to TCP/1858; no authentication is needed, making perimeter firewall rules blocking external access to this port a critical mitigation. ↗
- ·Each individual request leaks only ~50 bytes, but sustained/iterated exploitation accumulates significant memory disclosure over time; detection should account for volumetric/repeated patterns, not just single requests. ↗
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CyberArk 9.7 - Memory Disclosure
exploitdb·2018-12-03·CVSS 5.3
CVE-2018-9842 [MEDIUM] CyberArk 9.7 - Memory Disclosure
CyberArk 9.7 - Memory Disclosure
---
# Exploit Title: CyberArk 9.7 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk (@Freakazoidile)
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Version: < 9.7 and < 10
# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
# CVE: CVE-2018-9842
# Description: There currently exists a general advisory for the CVE with a description of exploitation and how
# to reproduce, but without full exploit code. I have developed a working, reliable standalone Python exploit that
# can be successfully used by modifying only the target IP address. Attached to this email submission is the working exploit code.
#!/usr/bin/python
import socket
import os
impor
Exploit-DB
CyberArk < 10 - Memory Disclosure
exploitdb·2018-06-04·CVSS 5.3
CVE-2018-9842 [MEDIUM] CyberArk < 10 - Memory Disclosure
CyberArk < 10 - Memory Disclosure
---
# Exploit Title: CyberArk < 10 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Version: < 9.7 and < 10
# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
# CVE: CVE-2018-9842
# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd
# paste the following bytes into a hexedited file named logon.bin:
#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000
Exploit-DB
CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure
exploitdb·2018-04-09·CVSS 5.3
CVE-2018-9842 [MEDIUM] CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure
CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure
---
Advisory: CyberArk Password Vault Memory Disclosure
Data in the CyberArk Password Vault may be accessed through a proprietary
network protocol. While answering to a client's logon request, the vault
discloses around 50 bytes of its memory to the client.
Details
Product: CyberArk Password Vault
Affected Versions: < 9.7, < 10
Fixed Versions: 9.7, 10
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://www.cyberark.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015
Advisory Status: published
CVE: CVE-2018-9842
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9842
Introduction
"CyberArk Enterprise Password Vault is
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2018/Apr/19http://www.securityfocus.com/archive/1/541931/100/0/threadedhttp://www.securitytracker.com/id/1040674https://www.exploit-db.com/exploits/44428/https://www.exploit-db.com/exploits/44829/https://www.exploit-db.com/exploits/45926/https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-015/-cyberark-password-vault-memory-disclosurehttp://seclists.org/fulldisclosure/2018/Apr/19http://www.securityfocus.com/archive/1/541931/100/0/threadedhttp://www.securitytracker.com/id/1040674https://www.exploit-db.com/exploits/44428/https://www.exploit-db.com/exploits/44829/https://www.exploit-db.com/exploits/45926/https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-015/-cyberark-password-vault-memory-disclosure
2018-04-12
Published