A critical flaw in Delinea’s secret server SOAP API revealed this week has security teams racing to roll out a patch. But one researcher says he contacted the privileged access management vendor weeks ago to alert them to the bug, only to be told he wasn’t eligible to open a case.
Outline first revealed the SOAP endpoint flaw on April 12th. By the next day, Delinea teams had deployed an automatic fix for cloud deployments and a download for on-premises secret servers. But Delinea was not the first to raise the alarm.
The vulnerability, which does not yet have an assigned CVE, was first made public by researcher Johnny Yu, who provided a detailed analysis of the vulnerability. Delinea’s secret server problem, adding that he had been trying to contact the seller since February 12 to responsibly disclose the defect. After working with Carnegie Mellon University’s CERT Coordination Center and after weeks of no response from Delina, Yu decided to make her results public on February 10.
“I emailed Delinea and their response stated that I am not eligible to open a case as I am not affiliated with a paying customer/organization,” Yu wrote.
After a timeline showing several failed attempts to contact Delinea and an extension of disclosure granted by CERT, Yu published his research.
Delinea provided an emailed statement on the status of mitigation, but did not respond to questions about the timing of the disclosure and response.
The access provider’s silence on the matter leaves open questions about who can report bugs to the company, under what circumstances they are able to report them, and whether process changes will be made in how Delinea handles disclosures in the future.
Vuln volume issues not unique to Delinea
The lack of communication about the response signals “issues” with Delina’s patching processes, according to Callie Guenther, senior manager of threat research at Critical Start. But, she explains, the crushing weight of vulnerability management is having an impact across the board.
Recently, the National Institute of Science and Technology (NIST) said that is no longer possible keep up with the number of bugs submitted to the National Vulnerability Database and asked the government, as well as the private sector, for help.
“This isn’t unique to Delinea; tech companies often face challenges in balancing rapid response with the need for extensive patch testing,” Guenther explains to Dark Reading. “This situation reflects a larger trend in which the complexity and volume of vulnerabilities can challenge security protocols.”