Securden Unified PAM Shared SSH Key and Cloud Infrastructure Vulnerability

A vulnerability exists in Securden's Unified PAM Remote Vendor Gateway access portal, which shares infrastructure and access tokens across multiple tenants. This flaw allows a malicious actor to obtain authentication materials and access the gateway server with low-privilege permissions. The issue arises from the shared SSH key infrastructure, which can be exploited to access vendor login pages on the internet, potentially leading to further exploitation of other customers running Securden Unified PAM.

Impact

Exploitation of this vulnerability allows for unauthorized access to Securden's gateway server with low-level permissions, using shared credentials across installations. This access could be leveraged to exploit other customers using Securden Unified PAM.

Reproduction

The vulnerability can be reproduced by establishing a reverse SSH tunnel to a remote server using a shared key placed on disk. This tunnel can be created by a Securden Unified PAM instance, exposing the login page for the vendor portal. The SSH key is deleted from the disk after the tunnel is established, but can be intercepted by monitoring file write events.

Remediation

Customers should update Securden Unified PAM to version 11.4.4 or higher.