Delinea Scrambles to Patch Critical Flaw After Failed Responsible Disclosure Attempt

Privileged access management (PAM) solutions provider Delinea over the weekend scrambled to patch a critical vulnerability after it apparently ignored a researcher who attempted to responsibly disclose the issue for weeks.

On April 12, Delinea informed customers that it had started investigating a “security incident” and that there may be some service disruptions. 

The next day, the company clarified that it had become aware of a critical authentication bypass vulnerability in the Secret Server SOAP API. Delinea initially prevented exploitation by blocking the impacted SOAP endpoints for Secret Server Cloud customers. In addition, it released indicators of compromise (IoCs) to enable customers to detect potential exploitation attempts. 

Later in the day, Delinea announced releasing patches for both Delinea Platform and Secret Server Cloud. On April 14, the company announced patches for Secret Server On-Premises. 

Technical details of the vulnerability along with proof-of-concept (PoC) code were made public on April 12 in a Medium post by researcher Johnny Yu.

Yu said he had been trying to responsibly disclose his findings to Delinea since February 12, including through the CERT Coordination Center at Carnegie Mellon University, but without success. Based on Yu’s disclosure timeline, Delinea ignored nearly all communication attempts.

A CVE identifier has yet to be assigned.

SecurityWeek has reached out to Delinea for comment, but the company has not shared any clarifications on the botched disclosure process. 

“Delinea Platform and Secret Server Cloud have been updated, and we are working closely with on-premise customers with direct remediation steps. Our Engineering and Security teams have conducted reviews for any evidence of compromised tenant data,” Delinea said in an emailed statement. 

“At this time, we have found no evidence that any customer’s data has been compromised and no attempts to exploit the vulnerability have occurred on Delinea Platform and Secret Server Cloud. Our customer’s security is always a priority and we will continue to monitor this situation and provide updates to customers at trust.delinea.com,” it added.

Related: Palo Alto Networks Releases Fixes for Firewall Zero-Day as Attribution Attempts Emerge

Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks

Related: Magento Vulnerability Exploited to Deploy Persistent Backdoor