CVE-2018-9843
published 2018-04-12CVE-2018-9843: The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.34%
96.7th percentile
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyberark | password_vault | < 9.9.5 | 9.9.5 |
| cyberark | password_vault | >= 10.0 < 10.1 | 10.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation by inspecting the HTTP Authorization header for a base64-encoded .NET serialized object. The payload begins with the magic bytes 'AAEAAAD/////' which is characteristic of BinaryFormatter-serialized .NET objects. ↗
- →Monitor HTTP requests to the path /PasswordVault/WebServices for anomalous or oversized Authorization header values that do not conform to standard token/session formats (e.g., contain base64 blobs starting with 'AAEAAAD/////'). ↗
- →Alert on unexpected outbound ICMP or network connections originating from the CyberArk Password Vault Web Access server process, which may indicate successful RCE via deserialization. ↗
- ·No credentials are required to exploit this vulnerability; the malicious serialized object is passed in the Authorization header without authentication, meaning perimeter controls requiring valid credentials will not prevent exploitation. ↗
- ·Affected versions are CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1; the fix is available in versions 9.9.5, 9.10, or 10.2. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2018/Apr/18http://www.securityfocus.com/archive/1/541932/100/0/threadedhttp://www.securitytracker.com/id/1040675https://www.exploit-db.com/exploits/44429/https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-executionhttp://seclists.org/fulldisclosure/2018/Apr/18http://www.securityfocus.com/archive/1/541932/100/0/threadedhttp://www.securitytracker.com/id/1040675https://www.exploit-db.com/exploits/44429/https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
2018-04-12
Published