Delinea has cloud security incident in Thycotic Secret Server gaffe
This is a weird one. Customers of Delinea Secret Server Cloud had a mysterious outage on Friday due to a “security incident” – this was visible on a service status page:
Delinea Secret Server – also known as Thycotic Secret Server – is a privileged access management product which allows the storage and rotation of credentials. Competitors include the likes of CyberArk. It is a Crown Jewels product, designed to manage.. well, privilege access. The cloud offering is the Crown Jewels of Crown Jewels for organisations worldwide.
On Saturday they published indicators of compromise (IoCs) for the incident, behind a paywall: https://support.delinea.com/s/article/KB-010572-How-do-I-remediate-Secret-Server-in-reference-to-the-Secret-Server-SOAP-vulnerability
So, what happened? I’ve confirmed they took their services offline over an incident related to the vulnerability in this blog:
The vulnerability in that blog applies to Delinea Secret Server on prem – but also cloud. Over the weekend they fixed the issues highlighted. The vulnerability is serious, as it allows authentication bypass and admin access.
It appears Delinea had a process gap, because look at the disclosure timeline:
The outage timeline simply says the issue was fixed after a deployment, and that endpoints blocked have been unblocked.
Delinea say they believe no customer data was impacted.
On prem customers need to update, and cloud customers need to hope Delinea understand exactly what happened and are transparent about outcomes. For example, if nothing happened, why are there attacker indicators of compromise?
Updates
14 April 2024 8pm UK time – Delinea have changed their IoC link to be publicly facing, ie not behind a login paywall:
They have published a new Secret Server update for on prem users that they need to manually upgrade to ASAP:
No CVE has been allocated.
For Secret Server Cloud, they say “Secret Server Cloud has been patched and is no longer vulnerable, so no remediation is advised at this time.”
