Verify Privilege Vault: 10.9.000005/33 Release Notes
Release date:
- December 14, 2020 (on-premises version)
- December 12, 2020 (cloud version)
Important: If you installed Verify Privilege Vault as your default or top-level website and you have Verify Privilege Manager (PM) and Verify Privilege Vault installed together, you may experience the following issues after upgrading to .NET Framework 4.8:
- PM agents will not register.
- When a PM agent updates itself (using the agent utility), it states that there are zero policies to download.
If you believe this scenario applies to you, please contact IBM Security Support before performing a .NET, Verify Privilege Vault, or PM upgrade.
Important: This release corrects a critical issue discovered in Verify Privilege Vault version 10.9.000032. IBM Security encourages all customers to upgrade any 10.9.00032 installations to 10.9.000033 as soon as possible. For more information, including remediation (if you have been affected), see the Verify Privilege Vault: 10.9.000005/32 Release Notes.
Note: All the original release notes for 10.9.000032 have been moved here for convenience and clarity.
Upgrade Notes
IBM Security encourages all customers to upgrade at the earliest opportunity.
Note: This version of Verify Privilege Vault uses a two-step upgrade. See Verify Privilege Vault: 10.9.000005/33 Release Notes.
New Features and Enhancements
HSM Key Rotation
This feature enables customers using a Hardware Security Module (HSM) to rotate their root encryption key. Verify Privilege Vault supports using an HSM to store the root encryption key for all data in the Verify Privilege Vault database. Some customers have security policies requiring rotation of all encryption keys. Until now this was a manual process.
DSV Integration: SSH Key Synchronization
Further enhancing the integration between Verify Privilege DevOps Vault (DSV) and Verify Privilege Vault, the integration now supports customers using DSV to provide PAM services to their DevOps teams. DevOps teams may use SSH keys to access portions of their infrastructure.
SSH Key Authentication to SSH Terminal
SSH terminal in Verify Privilege Vault provides SSH access for users who do not want to use the Verify Privilege Vault UI. This is particularly useful for Linux users. These users commonly use SSH keys to authenticate to servers and services. Providing SSH key authentication to SSH terminal allows them to continue to use their preferred access tools with Verify Privilege Vault.
User Interface
- Verify Privilege Vault now uses the terms allowlist and denylist. See IBM Security shifts the language used in products and materials to promote inclusivity.
- New content has been added to "empty" user interface pages to explain initial actions to be taken by new users to streamline the onboarding experience. There is now more information about what they are able to do with helpful links to the knowledge base and corresponding technical documentation, giving them more confidence as they navigate Verify Privilege Vault for the first time.
- Ongoing new user interface updates include pages such as User Management, Login, Reports, and Distributed Engine configuration.
General
- Added the ability to trigger event pipelines on the heartbeat UnableToConnect status. This feature adds a new advanced configuration setting, "Heartbeat: Include UnableToConnect as Heartbeat Failure Event". When toggled to true, this setting allows a user to include UnableToConnect as part of the heartbeat failure event subscriptions. It defaults to false.
- Improved handling of site-based requests in relation to heartbeats and remote password changer.
- Verify Privilege Vault now integrates with Slack, allowing for notifications and workflow handling. This includes approval requests, recently used secret notifications, and launching secrets.
Security
-
Added protection against malicious remote code execution through CEF log file tampering.
Note: Only applies to Verify Privilege Vault on-premise.
-
Added protection against malicious argument injection in SSH launcher.
API
-
Fixed an issue to properly display API_AccessDenied as a 403-error code.
-
Updated error handling and prompts when editing a group via Active Directory sync. The error for the add has been changed to API_CannotAddRemoveUsersFromDirectoryManagedGroups for clarity. The remove has also been updated to throw that error when the group is from AD sync.
-
Created the following new endpoints:
-
Distributed engine
-
Dual controls
-
Report schedule
-
Secret policy search
-
Slack
-
Ticket System
-
User and group management
-
Integrations
- Fixed an issue with ServiceNow validation that caused tickets in "Active" status to fail validation. Added an active status to the default allowed statues for ServiceNow. This auto-populates when ServiceNow is setup.
- Fixed an issue when creating a ServiceNow ticket without a secret caused a failure. The system now validates the secret field being required before proceeding.
Protocol Handler
Protocol handler is updated for this release. Added Verify Privilege Vault protocol handler administrative settings that you can configure through Microsoft's Group Policy Objects (GPOs) or through Verify Privilege Vault itself. One setting controls which domains, URLs, or IP addresses the protocol handler installation may connect to. The other setting ensures protocol handler will never auto-update itself, even if told to by the Verify Privilege Vault installation that it connects to.
Bug Fixes
- Fixed an issue causing duplication of tbOAuthExpiration. Added process that deletes a tbOAuthExpiration object if one was created earlier in the same request and another one is about to be created.
- Fixed an issue where the date format displays incorrectly according to the date preference set by the user.
- Fixed an issue in RPC where a space in the character set fails PowerShell password changes. We now enclose all parameters that go to the PowerShell Password Changer in double quotes.
- Fixed an issue preventing authentication to VMware with API via PowerShell. All fields of associated secrets are available in RPC scripts now.
- Fixed an issue causing the discovery start time to increase after each interval based on extending completion times. Changed the logic for both discovery and computer scan to run based upon the start date and not run if a scan is in process.
- Fixed an issue with UNIX discovery search filter not matching the machine scanner. Modified a tool tip indicating that $machine filters cannot be used with host range and machine scanners.
- Fixed a script issue for ParseDataItems not handling edge case—System.NullReferenceException: Object reference not set to an instance of an object. Added a null check for the return object in ParseDataItems.
- Fixed an event subscription issue where the engine offline email alert was not being sent.
- Fixed an issue for SSH-proxied secret's audit log where no results are displayed when selecting "Show Proxy Credentials."
- Fixed an issue for RDP-proxied secret's audit log where no results are displayed when selecting "Show Proxy Credentials."
- Fixed an issue that when navigating manually to an enabled secret from a deleted secret erroneously retained the deleted banner.
- Fixed an issue where users are not automatically re-enabled while using "Automatic User Management" with SAML.
- Fixed an issue that caused inability to bulk assign privileged accounts for Unix secrets. Added new "Update Associated Secrets" bulk operation which sets the associated secret list on any selected secrets.
- Fixed an issue where the folder search was not functioning when importing accounts to a folder.
- Fixed an issue causing Oracle scripts to not execute successfully on remote distributed engine.
- Fixed an issue with the left navigation folder tree navigation causing the horizontal scroll to function incorrectly.
- Fixed an issue with Office 365 and Azure AD causing a wrong heartbeat status code and preventing consecutive attempts. Added code to differentiate authentication errors coming back from Office 365 from other errors. Authentication Errors will continue to create a "LoginFailed" error on the result while all other errors will generate "UnableToConnect".
- Fixed an issue where the user is unable to see the "Check In" button when browser is maximized.
- Fixed an issue that caused ClickOnce and protocol handler PuTTY to not load default session logging location.
- Fixed an issue that may crash the Web interface when a dependency forces check-in, prompting error "Global Catch: Secret requires checkout."
- Fixed an issue when adding parameters to SSH scripts where the dependencies are not updated to reflect the changes that are made. When populating the dependency details modal, a check is made to ensure the script's parameters match the parameters in its definition.
- Investigated an issue when RDP proxy is enabled causing a connection issue with using NTLMv1. NTLMv2 is required and is the default on Windows Server 2008 and later.
- Fixed an issue where database integrity monitoring sent false-positive alert emails for database rows changed by Verify Privilege Vault.
- Fixed an issue where NULL NetBIOSName breaks IWA and causes spurious IP connections. The fix adds a step during the login process, specifically along the IWA path, that checks if the domain about to be checked has a NetBIOSName and, if not, fills it in.
- Fixed an issue in the UI with the drop-down menu with a predefined URL field values for secret template when creating a new secret.
- Fixed an issue in the UI where the incorrect folder menu was displayed on the favorites page.
- Fix issue where custom discovery account scanners that had "organizational unit" as their input where changed to "computer" if the scanner was updated.
- Fixed an issue when setting up a domain on a site that uses DE processing breaking Windows Authentication for that domain.
- Fixed an issue where the error message would not show for GCP and AWS scanner when the selected secret did not have a mapped password changer.
- Fixed an issue in the UI where "days until expiration" showed "expired" instead of a negative number to indicate time since expiration was met.
- Fixed an issue in the UI where the selected columns are only saved per folder, rather than across all folders. An "apply as default" check box was added to the column selector for folders. This allows the user to set up a default column setting for folder columns. It will be used when the columns are not set on a specific folder.
- Fixed an issue with live session viewing affecting Verify Privilege Vault version 10.9.
- Fixed an issue where Verify Privilege Vault Remote was not getting redirected to "get token" page when logged in with SAML.
- Fixed an issue that displayed an incorrect status message is displayed along with the error message. The "password verify was successful" message is no longer displayed along with the error message while checking heartbeat for invalid Active Directory password changes.
- Fixed an issue where the login screen was not remembering the last selected domain despite default login being set to "last selected."
- Fixed an issue with database integrity monitoring service Tablesnapshot exceptions not being handled.
- Fixed an issue where SSH proxy could fail and require a DE restart.
- Fixed an issue when saving an Active Directory domain, a 500 error on POST was prompted.
- Fixed an issue in the UI when using Internet Explorer that prevented adding a privilege account in a secret policy.
- Fixed a bug that was preventing searches on partial URLs from matching the secrets containing the partial URL. All parts of the URL host name, as well as any specified port, path, and query string are now parsed into terms according the indexing separators and are fully searchable in the UI and REST API.
- Fixed an issue where the "expire all secrets" and "delete all secrets" buttons were not present in reports in the new UI.
- Fixed an issue in the classic UI where a secret's URL path capitalization was being displayed incorrectly.
- Fixed an issue assigning a password on the secret if a username has consecutive special characters, such as
./
or-_
. - Fixed an issue that allowed local Verify Privilege Vault users to log in without a synchronization group to Azure AD.
- Fixed an issue that prevented OUs from being added to the discovery scope with a message indicating the OU was already included due to its parent, which was invalid.
- Fixed an issue with updating associated dependencies when converting a secret template of a privileged account.
- Fixed an issue where a password change on RPC stays in pending status after meeting the retry threshold. We updated RPC functionality to stop the RPC, fix the RPC button to allow retry, and removed the pending password banner when the max attempts were reached.
- Fixed an issue with database integrity monitor not adding a separator for AggregateKey.
- Fixed a bug in extended search indexing that did not index all parts of the URL field, causing searches that contained non-indexed text to not return matches.
- Fixed a timing issue with Active Directory sync when processing results on a "synchronization now" event for groups.
- Fixed an issue where undeleting a secret did not honor the setting to not allow duplicate names.
- Fixed an issue where enabling proxy setting was not available in the secret policy with RDP proxy.
- Fixed an issue where OU exclusion does not allow different credentials underneath included a domain-specific OU.
- Fixed an issue with dependency bulk operations failing to run on privileged secrets.
- Fixed an issue with downloading system logs from the UI only listing what was shown in the UI. Implemented record ranges for all grids that implement the paging interface.
- Fixed an issue that caused an error when protocol handler MSI 6.0.0.33 did not overwrite the sslauncher registry key.
- Fixed an issue that prevented running a custom report in the UI.
- Fixed an issue where "view next password" was triggered when showing current password in the audit UI.
- Fixed an error when adding many groups or users to the folder permissions and saving.
- Fixed a permission to "view scanners link" in the menu UI.
- Fixed an issue when creating a secret in the UI it did not honor the default field values changed by the secret template.
- Resolved an issue that prevented RDP connections with non-standard port numbers when connecting via an SSH tunnel.
- Fixed an issue where scheduled task dependencies were disabled after an RPC on Windows Server 2008 R2 and 2012 R2.
Verify Privilege Vault Cloud
Note: The following only apply to Verify Privilege Vault Cloud (SSC). Other issues and features are assumed to affect both on-premises and cloud unless otherwise noted.
Azure ServiceBus Transport Type Setting
We added a new cloud-only setting called "Azure Service Bus Transport Type" in the global engine settings. This defaults to "Web Sockets," so the outbound port for engines communicating with SSC will only use port 443. Customers may change the setting to "AMQP," which changes the outbound ports to 5671 and 5672.
Other Issues
- Resolved an issue with IBM Security One user synchronization.
- Resolved an issue that could cause repeated errors when accessing the OTP value for a secret.
- Changed some log entry types to warnings instead of errors.
- Fixed a bug that caused a SQL "incorrect parameter order" error when more than 2000 secrets were processed by RPC.
Known Issues
Important: If you encounter any of these known issues, please contact IBM Security Support for assistance.
Note: These issues no longer apply to Verify Privilege Vault Cloud as of December 19th.
- When used with Verify Privilege Vault Remote, secrets that have a configured allow list for server connections will not display the allow list in the Verify Privilege Vault Remote UI. This issue will be resolved in Verify Privilege Vault Remote 1.4, scheduled for release on Dec 15, 2020.
- Verify Privilege Vault on-premises installations may experience memory leak issues, which can be remedied by performing an IIS reset or application pool recycle.
- When creating a new user, the ability to select a domain is not displayed.
- The site connector for a local site cannot be changed in the UI. A workaround is possible via a manual edit in tbSite.
- Users configured for SAML are not correctly directed to the SAML login page when attempting to log in. Users will have to select "Local Login". This also applies to users that have MFA enabled in Verify Privilege Vault—the user is incorrectly redirected after SAML login.
- SAML messages may not contain a necessary attribute, preventing users from successfully logging in via SAML. An available workaround is to select "Disable InResponseTo Check" in the Identity Provider settings of SS.
- Users with view permissions can no longer see generated OTP codes on secrets.