Verify Privilege Vault Release Notes 10.4.0

Release Date: 1/17/2018

Customers with trial licenses in their Verify Privilege Vault instance who upgrade to 10.4 will be required to activate those licenses.

Enhancements

  • Verify Privilege Vault SDK: The Verify Privilege Vault SDK replaces and improves upon the existing functionality of the Java API and .NET/Application API. Users can leverage this SDK to tokenize credentials in scripts and configuration files for .NET web applications. The SDK can also call for a REST Web Services authentication token for added functionality. Finally, the SDK has a local encrypted cache for every location it is installed in to allow for quicker transit times and resiliency in case communication with Verify Privilege Vault is lost.

  • Session Monitoring Multiple Nodes: Clustered Verify Privilege Vault environments will now automatically split the processing load for Session Monitoring events.

  • AD Credential Cache: Verify Privilege Vault can create an encrypted storage for hashes of Active Directory users' credentials that is updated on every successful authentication to Verify Privilege Vault and allows for users to continue to access Verify Privilege Vault even if communications are lost between Distributed Engine and the Domain Controller(s).

  • Verify Privilege Vault now has a REST endpoint to manage Secret dependencies.

  • Verify Privilege Vault now has a REST endpoint to manage groups.

  • Verify Privilege Vault's Firefox browser extension has been updated so it can continue to work with the latest versions of Firefox.

  • Verify Privilege Vault can now communicate to SIEM tools using a TLS connection.

  • TLS connection successes and failures with Active Directory Synchronization and SIEM integration are now audited.

  • Verify Privilege Vault can now send audits to Windows Event Logs.

  • Enhanced Dashboard search performance.

  • Enhanced Active Directory synchronization performance.

  • File uploads on Secrets now have file extension and size restrictions.

  • Added a Security Hardening report to indicate whether email communications are set to use HTTPS.

Bug Fixes

  • Fixed issue where SSH custom password changers failed Heartbeat when using SSH Key authentication.
  • Fixed issue where Discovery would incorrectly show as misconfigured despite having configured Discovery sources.
  • Fixed issue where random password generation may generate a password containing 2 consecutive characters contained in the Active Directory username.
  • Fixed issue where the login assist for Chrome would not work if an IP address was in the URL field of a Secret.
  • Fixed issue where numerous domains in Discovery could cause failures in communicating with the SQL database.
  • Fixed issue where Discovery would only use the correct Distributed Engine Site on the first dependency type when scanning for all dependencies across multiple domains.

  • Fixed issue where a significant number of Secrets that were failing a password change would freeze Distributed Engine.

    Security Fixes

  • Fixed XXE issue on Web Launcher configuration page.
  • Fixed XXS issues on New Engines management page.
  • Fixed XSS issue on Secret Dependency Changers page.
  • Fixed issue where Verify Privilege Vault upgrade logs written to the server hosting Verify Privilege Vault were accessible via a URL.
  • Fixed issue where Remember Me for 2FA bypassed Duo's deny logon security settings on users in some cases.
  • Updated PuTTY client for Session Launching to v0.70.
  • Fixed potential security issue where the RDP service port on the client machine could be used to open a concurrent RDP session to the target machine when RDP connections were proxied through Verify Privilege Vault.
  • Fixed LESS Injection issue on Theme management page.
  • Fixed issue where language resource ASHX files in Verify Privilege Vault could be accessed by any user with access to the application.
  • Fixed issue where default settings on PuTTY logging settings could expose the password of a user.