A critical flaw in Delinea’s Secret Server SOAP API disclosed this week sent security teams racing to roll out a patch. But a researcher claims he contacted the privileged access management provider weeks ago to alert them to the bug, only to be told he was not eligible to open a case.
Delinea first disclosed the SOAP endpoint flaw on April 12. By the next day, Delinea teams had rolled out an automatic fix for cloud deployments and a download for on-premises Secret Servers. But Delinea wasn’t the first to raise the alarm.
The vulnerability, which still doesn’t have an assigned CVE, was first publicly disclosed by researcher Johnny Yu, who provided a detailed analysis of the Delinea Secret Server issue, adding that he had been trying to contact the vendor since Feb. 12 to responsibly disclose the flaw. After working with the CERT Coordination Center at Carnegie Mellon University and weeks of no response from Delina, Yu decided to release his findings Feb. 10.
“I sent an email to Delinea, and their response stated that I am ineligible to open a case since I am not affiliated with a paying customer/organization,” Yu wrote.
After a timeline showing several failed attempts at contacting Delinea and an extension to the disclosure granted by CERT, Yu published his research.
Delinea provided an emailed statement about the status of the mitigation, but did not respond to questions about the timeline of disclosure and response.
The access vendor’s silence on the issue leaves open questions about who can submit bugs to the company, under what circumstances they are able to submit, and whether there will be any process changes made to the way Delinea manages disclosures in the future.
Vuln Volume Struggles Not Unique to Delinea
The lack of communication about the response signals “issues” with Delina’s patching processes, according to Callie Guenther, senior manager of threat research at Critical Start. But, she explains, the crushing weight of vulnerability management is taking its toll across the board.
Recently, the National Institute of Science and Technology (NIST) said it can no longer keep up with the number of bugs submitted to the National Vulnerability Database and asked the government, as well as the private sector, to help.
“This is not unique to Delinea; tech companies often face challenges in balancing rapid response with the need for thorough testing of patches,” Guenther explains to Dark Reading. “This situation reflects a larger trend where the complexity and volume of vulnerabilities can challenge security protocols.”
Source: www.darkreading.com