Delinea Fixes Flaw, but Only After Analyst Goes Public With Disclosure First

  /     /     /  
Publicated : 23/11/2024   Category : security


Delinea Fixes Flaw, but Only After Analyst Goes Public With Disclosure First


Delinea rolls out Secret Server SOAP API flaw fixes, while researcher claims the vendor ignored his findings for weeks.



A critical flaw in Delineas Secret Server SOAP API disclosed this week sent security teams racing to roll out a patch. But a researcher claims he contacted the privileged access management provider weeks ago to alert them to the bug, only to be told he was not eligible to open a case.
Delinea first
disclosed the SOAP endpoint flaw
on April 12. By the next day, Delinea teams had rolled out an automatic fix for cloud deployments and a download for on-premises Secret Servers. But Delinea wasnt the first to raise the alarm.
The vulnerability, which still doesnt have an assigned CVE, was first publicly disclosed by researcher Johnny Yu, who provided a detailed analysis of the
Delinea Secret Server
issue, adding that he had been trying to contact the vendor since Feb. 12 to responsibly disclose the flaw. After working with the CERT Coordination Center at Carnegie Mellon University and weeks of no response from Delina, Yu decided to release his findings Feb. 10.
I sent an email to Delinea, and their response stated that I am ineligible to open a case since I am not affiliated with a paying customer/organization, Yu wrote.
After a timeline showing several failed attempts at contacting Delinea and an extension to the disclosure granted by CERT, Yu published his research.
Delinea provided an emailed statement about the status of the mitigation, but did not respond to questions about the timeline of disclosure and response.
The access vendors silence on the issue leaves open questions about who can submit bugs to the company, under what circumstances they are able to submit, and whether there will be any process changes made to the way Delinea manages disclosures in the future.
The lack of communication about the response signals issues with Delinas patching processes, according to Callie Guenther, senior manager of threat research at Critical Start. But, she explains, the crushing weight of vulnerability management is taking its toll across the board.
Recently, the National Institute of Science and Technology (NIST) said it can no longer
keep up with the number of bugs
submitted to the National Vulnerability Database and asked the government, as well as the private sector, to help.
This is not unique to Delinea; tech companies often face challenges in balancing rapid response with the need for thorough testing of patches, Guenther explains to Dark Reading. This situation reflects a larger trend where the complexity and volume of vulnerabilities can challenge security protocols.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Delinea Fixes Flaw, but Only After Analyst Goes Public With Disclosure First