A critical vulnerability, CVE-2024-45488, has been discovered in One Identity’s Safeguard for Privileged Passwords (SPP), an enterprise-level solution designed to protect and manage privileged credentials. This vulnerability, commonly referred to as “Skeleton Cookie,” allows attackers to bypass authentication and potentially gain full administrative access to the virtual appliance, posing significant security risks.
Safeguard for Privileged Passwords (SPP) is a product developed by One Identity, widely used by organizations to manage privileged access and automate the process of handling highly sensitive credentials. The platform is designed to:
SPP is commonly used by large enterprises, government agencies, and organizations that need to manage numerous privileged accounts, such as IT administrators, system architects, and database managers. These organizations often rely on SPP to ensure that access to sensitive data is only granted to authorized personnel and that all activity is securely logged and monitored.
CVE-2024-45488 arises from a hard-coded cryptographic key found in SPP virtual appliance images. This vulnerability allows attackers to forge session cookies, which can then be used to bypass authentication mechanisms. Once an attacker gains access by using this vulnerability, they can establish an authenticated administrative session. From there, they have the same control as legitimate administrators, enabling them to:
The AmberWolf research team, consisting of David Cash and Richard Warren, was responsible for discovering this vulnerability. They provided a detailed breakdown of their findings and even demonstrated how to exploit the flaw through a video demo. Their investigation showed how this hard-coded key, present in certain virtual appliance setups, could be easily leveraged to gain unauthorized access.
While the vulnerability is serious, it only affects SPP virtual appliances that run on platforms like VMware and Hyper-V. Deployments on physical appliances or those hosted in Azure, AWS, Oracle Cloud Infrastructure (OCI), or other officially supported cloud platforms are not vulnerable.
This means that organizations using virtualized environments for their SPP installations are at risk. Given the widespread use of virtualization in modern IT infrastructures, many companies are likely affected. Virtualized environments are particularly common in enterprises aiming for flexibility, scalability, and cost savings.
One Identity has responded to the vulnerability by confirming that the issue is resolved in newer versions of the SPP software. Users are advised to upgrade to the following fixed versions:
It is critical that organizations using vulnerable versions of SPP immediately update to one of these patched releases to mitigate the risk of exploitation. For those unsure whether their systems are vulnerable, AmberWolf has released a script that allows users to check whether their instance is susceptible to exploitation of CVE-2024-45488.
Security experts continually emphasize the importance of securing privileged access within an organization. Privileged accounts, such as system administrators or database managers, have the highest level of access within an organization, and compromising these accounts can lead to catastrophic consequences. A Ponemon Institute study reported that privileged access misuse was involved in 74% of data breaches.
Saryu Nayyar, CEO of Gurucul, highlights the growing risks associated with mismanaged privileged access, noting, “Once attackers gain access to a privileged account, they effectively control the organization. Protecting and monitoring privileged access should be the top priority for any security-conscious enterprise.”
In the case of CVE-2024-45488, an attacker could access or manipulate sensitive credentials stored in managed accounts. This could allow them to move laterally within the organization’s network, gaining unauthorized access to additional systems or sensitive data, making this vulnerability extremely dangerous if not addressed.
CVE-2024-45488 represents a critical vulnerability in One Identity’s Safeguard for Privileged Passwords, and organizations using virtualized deployments of SPP must take immediate action to secure their environments. With the ability to bypass authentication and gain administrative access, the Skeleton Cookie flaw could enable attackers to compromise entire infrastructures if exploited.
Organizations should patch their systems immediately, using the updated versions provided by One Identity, and implement best practices for securing privileged accounts.