CVE-2024-45488
published 2024-08-30CVE-2024-45488: One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.17%
98.8th percentile
One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.
Detection & IOCsextracted from sources · hover to see the quote
url/RSTS/UserLogin/LoginController?response_type=token&redirect_uri=https%3A%2F%2Flocalhost&loginRequestStep=6&csrfTokenTextbox=aaa↗
otherplaintext cookie payload format: local,admin,Primary,Password,<YYYYMMDDTHHMMSSZ>,<YYYYMMDDTHHMMSSZ>↗
- →Detect authentication bypass attempts by looking for GET requests to /RSTS/UserLogin/LoginController with loginRequestStep=6 and a stsIdentity0 cookie present alongside CsrfToken=aaa. ↗
- →A successful exploit response contains both 'access_token=' and 'RelyingPartyUrl' in the JSON body with HTTP 200 and Content-Type application/json — monitor for these in responses to unauthenticated requests to the LoginController endpoint. ↗
- →The attack forges a DPAPI blob encrypted with a hardcoded AES-256/SHA-512 master key (48F4153A8C26C2B026562685B67C30EFF119D735, GUID 98dc3c79-9aa5-4efc-927f-ccec24eaa14e) and sets it as the stsIdentity0 cookie value — the presence of this specific GUID in DPAPI blobs on the wire is a strong indicator of exploitation. ↗
- →The forged cookie payload encodes the string 'local,admin,Primary,Password,' followed by timestamps — inspect stsIdentity0 cookie values (base64-decoded) for this plaintext pattern after DPAPI decryption. ↗
- →Shodan fingerprint for exposed vulnerable instances: search for html containing 'Safeguard for Privileged Passwords'. ↗
- ·This vulnerability only affects virtual appliance installations (VMware or HyperV) — bare-metal deployments are not affected. ↗
- ·The hardcoded master key and GUID in the PoC (48F4153A8C26C2B026562685B67C30EFF119D735 / 98dc3c79-9aa5-4efc-927f-ccec24eaa14e) are static across vulnerable installations, making the forged stsIdentity0 cookie universally applicable to unpatched virtual appliances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
SafeGuard for Privileged Passwords < 7.5.2 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-45488 [CRITICAL] SafeGuard for Privileged Passwords < 7.5.2 - Authentication Bypass
SafeGuard for Privileged Passwords < 7.5.2 - Authentication Bypass
One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.
Template:
id: CVE-2024-45488
info:
name: SafeGuard for Privileged Passwords < 7.5.2 - Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.
impact: |
Unauthenticated attackers can byp
No writeups or analysis indexed.
2024-08-30
Published