Verify Privilege Vault Release Notes 10.7.000000

September 12, 2019

Verify Privilege Vault 10.7 and later no longer support using SQL Server 2008 R2 as the database for Verify Privilege Vault.

Upgrade Notes

  • Verify Privilege Vault 10.7 and later no longer support using SQL Server 2008 R2 as the database for Verify Privilege Vault.
  • Verify Privilege Vault requires Microsoft SQL Server, and for the database be set to the collation SQL_Latin1_General_CP1_CI_AS. See Microsoft SQL collation requirements and check your server collation settings before upgrading. Verify Privilege Vault
  • Added a new system alert in Inbox. Administrators should set a custom URL at Admin Config > Verify Privilege Vault Custom URL to prevent an issue where heartbeat failure emails include an incomplete link.
  • Enterprise customers using load balancing with RabbitMQ may want to delete queues after upgrading Verify Privilege Vault from versions earlier than 10.6. If customers using RabbitMQ do not delete their queues, they will not lose functionality, but old queues that were renamed in a 10.6 architectural update will continue to fill up with messages.

New Features

AWS Discovery

Added discovery for AWS accounts.

SSH Terminal

Added an SSH terminal to Verify Privilege Vault, allowing users to connect to Verify Privilege Vault via SSH to search for secrets, access secret data, and initiate proxied SSH connections.

Integrations

Updated ConnectWise API calls to pass in the ClientID object due to version updates by ConnectWise that requires a ClientID for all API calls. Updates released by ConnectWise in Aug 2019.

Architectural Improvements

Primary Nodes

Note: No configuration changes are needed for these changes to take effect.

  • Removed the need to designate a primary node within a Verify Privilege Vault cluster.

Note: Due to this change, the app setting 'ValidPrimaryNode' is now ignored. Customers using that setting do not need to change anything— the node that is primary will upgrade to have its BackgroundWorker role enabled. All other role configurations stay the same. The node that was primary before and is now upgraded will have the BackgroundWorker role enabled after the upgrade. All other role configurations will stay the same.

  • Migrated Verify Privilege Vault's background processes to Quartz.

This is an improvement over manual thread management and eliminates the primary node concept. Quartz internally ensures that a particular scheduled job is run in only one location. Quartz is database-driven. As such, the previous and next run times are visible by querying the database.

Database Deadlocks

Improved the on-premises background locking database code to avoid deadlocks.

Server Roles

Note: No configuration changes are needed for these changes to take effect.

Updated the following server role to be able to run in maintenance mode:

  • Background Worker role

The following list of server roles will not run in maintenance mode:

  • Engine Worker role
  • Session Recording Worker role

Enhancements

Security

  • Verify Privilege Vault 10.7 uses jQuery 3.2.1, which is listed as vulnerable to the jQuery CVE-2019-11358. Updated Verify Privilege Vault to resolve this jQuery vulnerability.
  • Updated PuTTY version (0.71) in the Verify Privilege Vault protocol handler to support the elliptic curve cipher for handling keys during the SSH connection process.
  • Addressed a security issue where reusing Active Directory usernames could expose secret data.
  • Resolved an issue affecting FIDO2 authentication. Security issue discovered by Vladimir Skuratovich.
  • Two cross-site scripting vulnerabilities were fixed in Verify Privilege Vault. One of these security issues was discovered by Adriaan Schuitmaker.
  • Removed a server-side request forgery issue in the legacy Web launcher. Issue was discovered by Adriaan Schuitmaker.
  • Addressed a security issue that could result in folder name disclosure.
  • Addressed a security issue with dual control where an approver could approve their own access.
  • Resolved a URL Redirection issue.

New User Interface

Drag and Drop Folders

Users can now drag and drop folders in the left navigation pane into other folders. Users must have "Owner" permissions on both folders.

Note: You cannot drag and drop folders to the root folder. To move folders back to the root folder level, right-click a child folder, select "Move Folder" and select Root from the option list.

Special characters (percent signs, brackets, and underscores) are no longer treated as wildcards.

Password Strength Indicator

Redesigned the password strength indicator.

Column Resizing

Users can now re-size columns on secret grids in the new UI. Column re-sizing is sticky per page across user sessions. Column resizing is not available in Internet Explorer.

Duo Push Notifications

Added option to send secret access request notifications as DUO push notifications instead of emails.

Duo User Preferences

Duo login now remembers user preferences and auto-initiates them (after initial login).

Secret Grid Top-Row Anchors

Added top-row anchors for secret grids.

Home Dashboard Redesign

Redesigned the Home Dashboard page.

Alert Improvements

Redesigned the Inbox and added more alert types (Approvals and Requests, System Alerts, Subscription Alerts).

Domain Name Searches

Added searching for users by domain name.

Secret Audit Access

Audit-only users can now view secret audits on secrets that require checkout or are setup for request access without needing to go through the checkout or access approval workflows.

WEBSERVICES Naming Prefix

Removed the redundant "WEBSERVICES" naming schema from secret audits where the service is also used by the new UI. "WEBSERVICES" still appears in audit reports where the service is not also used by New UI.

Messaging for Permission Changes When Moving Folders

Updated messaging when moving folders so that users are aware of permission changes.

New and Classic UI Feature Sync

We are incrementally porting features from the classic to the new UI. In this upgrade the new UI added support for:

  • NATO Phonetics.
  • Deleting dependency groups. [
  • Scrolling for the groups and users picker.
  • Secret checkout hooks and corresponding REST API endpoints.
  • Showing proxy SSH login credentials information on SSH secrets.
  • Setting custom password requirements per secret to override secret template requirements as needed.
  • Launcher preferences on the secret-level to override launcher template requirements as needed.
  • SSH command restrictions option.
  • Launcher settings for SSH launchers to the new UI. Settings not yet implemented include mapped Web launchers, non-mapped Web launchers, and form filler.
  • Added a "Save to File" option for audit history and secret grids.

ESXi Support Improvements

Added a configuration option for Verify Privilege Vault to allow ESXi TLS connections to ignore self-signed certificates, allow certificates from specific issuers (even if issuer is not in trusted certificate lists), or completely skip certificate validation when using ESXi password changer, heartbeat, or discovery.

Important: For security reasons, we do not encourage customers to use self-signed certificates. Therefore, the new configuration settings listed below are not accessible through the UI. If you need to alter the default ESXi certificate validation settings, submit a case through IBM Security's Support Portal for assistance.

New advanced configuration settings include:

  • ESXi.IgnoreSelfSignedCerts: If true, ignores any self-signed certs (subject = issuer) from ESXi hosts during heartbeat, RPC, and discovery.
  • ESXi.CertIssuersToIgnore: Semi-colon delimited list of issuer names (in format shown on certificate—such as "O=Issuer Name"). Ignores partial chain errors due to certificate being issued by any issuer in this list when that issuer is not in the trusted root or intermediate CAs lists on the server.
  • ESXi.IgnoreAllCertErrors: If true, certificate validation will not be performed. All certificate errors will be ignored.
  • ESXi.CertificateChainPolicyOptions: Identical to TLS Audit option, but specifically for ESXi. Allows setting X509 options to be applied to certificate validation. This is a comma-delimited list of options.
  • ESXi.ClientCertificateIds: identical to TLS Audit option, but specifically for ESXi. If ESXi host requires the client to present a valid certificate, this is a semi-colon delimited list of client certificates on the server to try to present.
  • ESXi.AuditTlsErrorsDebug: Identical to TLS Audit option, but specifically for ESXi. If set to true and Verify Privilege Vault (or DE) auditing is set to DEBUG, detailed debug messages about the certificate chain will be written to the log file.
  • ESXi.IgnoreDefaultHostCert: Sets all the TLS configuration options necessary to not fail due to a default ESXi host certificate and its issuer not being in the trusted certificates lists. This is a combination of setting the issuer to ignore and not performing a revocation check. Setting this to true should be the first change to make when attempting to resolve heartbeat, RPC, or discovery issues to ESXi hosts when using PowerCLI versions later than 5.5.

Note: Issues with self-signed certificates previously implemented by customers were caused by a security update to the VMware vSphere PowerCLI in versions after 5.5 that no longer permits the use of self-signed certificates.

Webservices REST API

  • The webservices API is now enabled by default for all new Verify Privilege Vault installs, regardless of licensing. Existing customer settings will not change on upgrade.
  • Added a safeguard to the API to prevent license activation attempts when licenses are already activated.
  • Added a new REST call to favorite a secret through the API.

Favorite a secret by running a POST request to <secret_server_url>/api/v1/secrets//favorite by setting isFavorite: Boolean. If left without a value, the favorite status will be toggled. If set to true or false, the favorite status reflects the value of isFavorite.

  • Added a new REST call to get current user's favorite secrets through the API.

Get the current user's favorite secrets by running a GET request to <secret_server_url>/api/v1/secrets/favorite

An array of secret-related information is returned: {id=1; folderId=4; folderPath=\FavoriteTest; secretid=test1}

  • Added refresh tokens for the REST API. Refresh tokens allow users to continue using tools like the Web plugin beyond the normal timeout internal, as long as they remain active.

Refresh token expiration is set to "session timeout" value plus 15 minutes. By default, three refreshes are allowed before re-authentication. Enable refresh tokens for Web services under General Configuration.

  • Added new API Calls:

    • Create Domain: POST /directory-services/active-directory/domains
    • Create Script: POST /userscripts
    • Create Secret Dependency Group: POST /secret-dependencies/groups/
    • Create Secret Hook: POST /secret-detail//hook
    • Delete Secret Hook: DELETE /secret-detail//hook/
    • Export Report: POST /reports/export
    • Favorite a Secret: POST /secrets//favorite
    • Get Domain: GET /directory-services/active-directory/domains/
    • Get Domains: GET /domains
    • Get Script: GET /userscripts/
    • Get Secret Hook Details: GET /secret-detail//hook/get/
    • Get Secret Hooks: GET /secret-detail//hooks
    • Get Secret Launcher Details: GET /launchers/secret
    • Get SSH Proxy Information: POST /secrets/sshproxy
    • Launch a Secret: POST /launchers/secret
    • List a User's Favorite Secrets: GET /secrets/favorite
    • Search Domains: GET /directory-services/active-directory/domains
    • Search Scripts: GET /userscripts
    • Stub Hook: GET /secret-detail//hook/stub/
    • Update Secret Hook: PUT /secret-detail//hook/
  • Updated API calls:

    • Update Secret Field : PUT /secrets//restricted/fields/
    • Update Secret : PUT /secrets/

Verbose Logging

Enhanced verbose logging for diagnostics to increase clarity and support troubleshooting. This ongoing project began in 10.6.26. Added additional logging for:

  • Protocol Handler: IBM Security.ProtocolHandler.
  • SAML Response Processor: SAML.SamlResponseProcessor.
  • SAML Legacy Configuration: SAML.LegacySamlConfiguration.
  • Secret Notification Emailer: SecretNotiificationEmailer.
  • Event Subscriptions: EventSubscriptions.

General

  • Enabled the setting "Enable Local User Password History" to be enabled by default for new Verify Privilege Vault installs. This blocks a user from re-using an old password when setting a new password.
  • Added a configuration option to automatically disable inactive users if they have been inactive for a minimum of one month. Enable this setting if your environment is setup for AD Synchronization. Go to Admin > Active Directory in the Active Directory User Synchronization section. Click Advanced (not required) > Set Automatic User Management and select yes.

Bug Fixes

REST API

  • Fixed a bug in REST API documentation for recorded session searching to properly detail URL array parameters and display the available values for searchTypes. Also updated the check for searchTypes to be case-insensitive for searching in the documentation.

    The check for searchTypes is now case-insensitive. Some work was done previously to return an error if no search types were provided. REST documentation was not properly detailing URL array parameters, they are now being displayed correctly and the available values for searchTypes are detailed in the documentation.

  • Fixed an issue where creating a folder through the REST API always set the permission inheritance to false on the folder, even when the parent folder was set for inheriting permissions. This meant that upon create, the folder itself inherited permissions from its parent folder but future objects created in the folder did not inherit permissions.

    The create-folder REST endpoint no longer always copies permissions from the parent folder down on to the sub-folder. Instead, if you set the inherit permissions property in the request to true, permissions will copy down from the parent on to the newly created folder. Should the user omit the inherit permissions property from the request body, the default value is also set to true. In order to not inherit permissions from the parent folder for a newly created folder thru the REST API, a user must set the inherit permissions property to false in the request body.

  • Fixed a REST API issue where the "View Secret Audit" permission was incorrectly required to access a secret summary through the API.

    During the permissions check for the REST API, a default route was being taken which included checking for View Secret Audit permissions. A more specific series of permissions checks are now being used which allows the View Secret Audit permission to be ignored.

  • Fixed an issue where the search results returned for InheritSecretPermissions in the REST API were not accurate.

  • Fixed a bug where REST API calls on systems using Windows Auth would fail after the first call due to logic that incorrectly flagged for cookie expiration.

  • Fixed a re-introduced issue where the "Webservice Password Displayed" audit was logged incorrectly when API calls to Get secret fields that were not password-related occurred. This issue was originally fixed in version 10.6.26 but reintroduced in version 10.6.27.

    The SecretGetQuery.SecretItemsViewed was not being forwarded to the actual GetSecret method which handled the auditing logic. By omitting it, it assumed all secret fields were being viewed by the user hence the password viewed audit was being recorded.

  • Fixed a bug where Oauth tokens were deleted for a current user when attempting to change the password of another user through the REST API.

  • Fixed a REST API bug where if enableInheritPermissions was set on FolderModel and UpdateFolder objects, updating secrets through the API in those folders did not respect the inherited permissions.

  • Fixed an issue where existing file attachments were removed when editing or saving secrets through the REST API.

Mac Launcher

Note: To update your Mac launcher and apply this fix, you must first fully uninstall the Mac protocol handler.

  • Fixed a Mac launcher issue where a launched session would hang if user attempted to scroll using a mouse wheel or a track pad. This issue occurred because the 9-bit signed value for handling mouse wheel events was not properly parsed for "coarse-grained" mouse movements within FreeRDP.
  • Fixed an issue in the Mac Launcher Protocol Handler where FreeRDP was calling to re-sync specific modifiers (Caps Lock, Num Lock) and not the current pressed state of the other modifies on every key-down event during Mac launcher sessions. This caused the other modifiers (such as Shift and Ctrl) to reset back to their base state even when the keys were being pressed.

General

  • Fixed an issue where Verify Privilege Vault could not correctly identify the state of a ServiceNow ticket. Ticket status in ServiceNow is indicated by both a state label (such as New, Open, WorkInProgress, ClosedComplete, ClosedIncomplete, ClosedSkipped, Assess, Authorize, Scheduled, Implement, and Review) and a state value. An update from ServiceNow changed both the labels and the values corresponding to each state, resulting in the issue.

Note: Validating custom ticket states will be addressed in a future release.

  • Fixed an issue where heartbeat failed as a bulk operation on ESXi Servers. When a bulk operation ran, multiple threads would try to access the same file on the machine at the same time. A check whether the file was in use was added to resolve this issue.

  • Resolved an intermittent radius socket error that occurred during user logins:

    • Zero can now be used as a valid on-prem port. This will not use the port range and will allow Windows to select a valid port to use.
    • The Port Bag (collection of ports) no longer accepts duplicates.
    • When un-caching a challenge request the cached request will now get a new client port to use when binding to the UDP client.
  • Fixed an issue where secret templates containing custom fields caused an error when key management was enabled.

  • Fixed an issue on environments with multiple domains where the dropdown for users on the AD synchronization page only displayed members from one domain instead of displaying all users across all domains.

  • Resolved an issue with persistent TCP/STCP connections closing too quickly. Lost connections led to errors thrown when sending syslog messages. To resolve this issue, caching for connection traffic over TCP/STCP was introduced and can be configured in the web-appsettings.config file by adding:

  • Fixed a bug where two-factor PIN emails were not sent on initial login if the user's login, the local admin account, and another user were all configured to use the same email address.

    The SMTP client and application name are now resolved on the initial login page. That way the PIN Code page can read those values and send the e-mail even if the lifetime scope is lost before the PIN Code page is loaded.

  • Updated some instances where a browser's built-in auto-complete feature would incorrectly enter data into fields when a Verify Privilege Vault page was loaded.

    The root of this issue was that the mechanism for disabling a browser's auto-population for username and password fields on page load changed across all browsers. The old mechanism added the attribute autocomplete="off" to the target input or form field if you did not want the browser to auto-populate on page load with user credentials. The new way changed the value of the added attribute to be autocomplete="new-password" for populated fields.

Note: Clear browser history cache after upgrading to apply these fixes.

  • Fixed a bug where changes were saved even after canceling on the Admin > Configuration > Login tab.

  • Fixed an issue where checkout and check-in hooks caused an exception error for a user if they only had list permissions on a privileged account when attempting checkout.

    This issue occurred when attempting to load the privileged secret with the user's permissions, which would fail unless the user had view or greater permissions on the privileged secret. A change was made to load the privileged secret using the system identity to prevent access issues.

  • Updated extensible discovery for the PowerShell scanner to automatically fill in an AdGuid and DistinguishedName when those values are not present on the scan item for OU/Host Ranges and Machines.

    If scanning Active Directory, adding DistinguishedName to the scan item is recommended. In this instance, you must remove the domain portion of the DistinguishedName.

  • Fixed an issue where saving a secret policy on a new secret template did not allow the latest password changer templates to be selected for password rotation. This prevented secrets of the latest template types to be assigned as a privileged account for the password rotation.

  • Updated the group picker for editing users in groups so that users are now sorted consistently via alphabetical ordering. Before this update, usernames in the two sides of the group picker were sorted differently.

    Updated all of these, Group Create, Edit and View pages, to sort by the "Known As" field. If DomainId is null, the field returns DisplayName. Otherwise, it returns DomainName\DisplayName.

  • Fixed an issue where IBM Security One (T1) users were unable to login to Verify Privilege Vault through the mobile and desktop app when IBM Security One was enabled for Verify Privilege Vault.

    There's a new configuration option "Enable IBM Security One Integration" in Verify Privilege Vault to do API authentication against IBM Security One (the old way) or not (the new way). This is under Configuration > Login. When checked, the mobile app should accept IBM Security One credentials. When unchecked, the mobile app should accept local account credentials. If T1 is turned off, or if the user doesn't have a T1 mapping, it will always accept local account credentials.

  • Fixed a bug that blocked workflows from being enabled on a secret in the new UI for Cloud Professional users if no approvers were defined on the workflow.

    When no approvers were defined for a workflow step an error was thrown trying to retrieve the max number that could be set for required approvers at that step.

  • Fixed an issue where custom reports that contain "Permissions" as a field name were not successfully created.

  • Fixed a bug where the "Last Scanned Date" for AWS and domain accounts were not properly updated on the Discovery Network View.

    Updated the Last Polled Date for the Domain Accounts to use the LastDiscoveryCompletedDate from the tbDiscoveryConfiguration table.

  • Updated error messaging when Verify Privilege Vault is unable to connect for heartbeat status. Added exception handling for Socket timeouts and errors to be treated as unable to connect instead of as an Unknown error.

  • Fixed an issue where users synchronized from Active Directory through Distributed Engine did not have their UserPrincipalName populated.

  • Fixed a bug where disabling users for an event subscription blocked the event subscription from being saved.

    This issue was related to a Linq expression which used Single instead of SingleOrDefault, which caused the respective exception when no elements were returned from collection.

  • Fixed an issue where rotating secret keys broke in a clustered environment.

  • Fixed an issue where creating sub-folders from the folder menu did not use "No Policy" default settings when set to not inherit a policy.

  • Resolved an application error that occurred when the expiration interval was set too high on a Secret Template.

    When the expiration was set to a large number the date calculation would overflow causing both secret search and secret view to break since they both tried to calculate it. Now both cap the expiration days at 9999 as the UI currently limits expiration to that maximum.

  • Fixed an issue in the new UI where deleted secrets remained on display on the Favorites page after a page refresh.

  • Fixed an issue in the new UI that occurred when fields in a column in a secret grid view could appear blank if a secret template had multiple fields with the same name.

  • Fixed an issue in the new UI where folder breadcrumbs were incorrectly sorted by Folder ID instead of by the location in the folder tree.

    Folder breadcrumbs were being incorrectly sorted by ID on the server before the API response was generated, which only works if no folders have ever been moved. That ordering was removed and now the folder order is returned properly from the API.

  • Updated tooltip messaging for the user interface configuration options.

  • Fixed an issue in the new UI where users were not always directed to the All Secrets page upon login.

    When a user was logged out in angular, the ReturnUrl was not always set. The ReturnUrl query string is used after logging in to know where to redirect a user.

  • Updated the new UI to hide reports under admin options when a basic user does not have the "View User Audit Report" permission.

  • Fixed a Firefox browser issue for versions 60.0 and greater where search prompted errors in the new UI.

    A nonstandard JS property was being used that isn't supported in all browsers. Property was replaced with its standard equivalent to ensure support in all browsers.

  • Fixed an issue where the password field did not re-appear after removing the "hide launcher password" policy on a secret.

  • Fixed an issue in the new UI where Danish Characters did not display correctly in the Folder list.

  • Fixed an issue where the Heartbeat Status column did not always display on page load in the new UI.

  • Fixed a bug where allowlisted launcher options did not properly populate in the new UI.

  • Fixed a bug where the password history for a secret did not display the correct password if the password included a less than symbol (<).

  • Fixed an issue in the new UI where Approval, Access Request, and Checkout secrets incorrectly blocked access from administrators when Unlimited Admin Mode was enabled.

    State service was returning state values without considering unlimited admin mode.

  • Fixed an issue where read-only mode was set as default in the new UI until the interface fully loaded, resulting in brief displays of the Read-Only mode notification if a user's browser experienced slow load times.

  • Fixed an issue where editing a secret policy would throw a null ref error in the new UI if the policy applied to a folder but was not enforced.

  • Fixed an issue where discovery was unable to recognize special characters (such as Ã, ‡, ƒ, and ±) in organizational unit (OU) objects when scanning an entire domain.

  • Fixed an issue with Active Directory synchronization where using the SynchronizeNow group flag could cause users not in that group to be disabled when AD sync was set to "Mirror AD."

  • Fixed an issue where the Active Directory credential cache was not checked when using a distributed engine due to LDAPProviders bypassing exception handling.

  • Optimized SQL query used to process large result sets in the tbSecretPasswordResetSecrets table. This addresses an issue where expired secrets failed to process due to large volumes of secrets.

  • Fixed a bug where domains listed with friendly names did not adequately check for uniqueness of Fully Qualified Domain Names (FQDNs) therefore allowing FQDN duplication. If FQDN duplication occurred, AD Synchronization domain mismatch failures resulted when running AD Sync.

  • Fixed a bug in environments with Integrated Windows Authentication (IWA) enabled where Google two-factor authentication users who clicked the "Lost my Phone" link received an error.

  • Enhanced performance for discovery when one endpoint returns large numbers of accounts (20k+).

  • Fixed an issue with search in the new UI where searches were locally cached instead of cleared on route navigation within the app.

  • Updated the new UI to accept non-ASCII usernames.

  • Fixed an issue where the Reports page in the new UI did not process HTML-encoded data, leading to special characters like "é" not displaying correctly on the page.

  • Fixed an issue in the new UI where the "Save to File" option on tables was not created in a download method that Internet Explorer 11 supported.

  • Fixed an issue where copy and convert actions on a secret template could apply parent folder policies to the new secret rather than applying the original secret's policy. This occurred due to using a cached version of the secret template instead of the updated version.

  • Fixed an issue where non-standard UTF8 characters were not saving properly when saving reports to file in the new UI.

  • Fixed an ordering issue when querying reports where the audit to identify the user who runs the query ran after the query rather than before.

  • Fixed an ordering issue when querying reports where the user-identification audit ran after the report query instead of before.

  • Fixed an issue where live view-session videos did not work in the Internet Explorer 11.

  • Fixed an issue where outbound queue messages overloaded in some environments. Added expiration time to outbound discovery and Active Directory sync messages. AD sync and discovery scan messages now expire based on their configured interval.

  • Fixed an issue where the bulk conversions for secret templates did not populate the target template list.

  • Fixed an issue where naming patterns were not properly enforced in the new UI when creating secrets.

  • Fixed an issue where the approval-request expiration time did not properly handle time zone differences. We changed validation to compare minutes instead of days.

  • Fixed a bug where the "confirm action" button did not activate on bulk actions when assigning the "inheriting permissions" action.

  • Fixed an issue where changed fields on the edit page for assigning secret auto-schedules could block a schedule from saving.

  • Resolved issue with SSH key password rotation for some versions of Unix and specific templates.

  • Fixed issue with IAM Token rotation over distributed engines.

  • Fixed a bug where custom launchers that passed the port field from a secret as a launcher argument would fail because the launcher was using the port value from the secret template launcher configuration instead of the port value from the secret.