CyberArk Client Certificate Authentication Issue Summary...
CyberArk Client Certificate Authentication Issue Summary Tenable has discovered an issue with our CyberArk Integration and its Client Certificate Authentication to the CyberArk CCP/AIM Web Service API. Customers that have deployed the CyberArk CCP component on Windows Server 2022+ have experienced unsuccessful attempts authenticating to the CCP/AIM Web Service API using Client Certificate Authentication with our CyberArk Integration. This is due to an issue with Windows Internet Information Services (IIS) and certificate authentication over TLS 1.3 and HTTP/2. Change Customers using a Windows Server 2022+ to host their CyberArk CCP must disable TLS v1.3 and HTTP/2 on the IIS manager in order to successfully use Tenable’s CyberArk Integrations that support Client Certificate Authentication. The following Microsoft article describes the issue. https://techcommunity.microsoft.com/blog/iis-support-blog/windows-server-2022-iis-web-site-tls-1-3-does-not-work-with-client-certificate-a/4129738 Impact There are no changes to the integration. Release Date IMMEDIATE
CyberArk Database Dynamic Scanning Summary We are proud to...
CyberArk Database Dynamic Scanning Summary We are proud to announce a major feature request for our modern CyberArk integration that eliminates A) the requirement for the user to manually add specific targets to the target settings and B) the need to create multiple credentials in a single scan. However, this feature does allow end users to create up to five credentials in a single scan. This feature takes advantage of CyberArk’s PVWA REST API to gather bulk account data, adds targets to the scan automatically based on user driver query parameters, and requests passwords from the CCP/AIM Web Service. Not only does this eliminate the requirement for the user to manually add specific targets to the settings and the need to create multiple credentials, but it also reduces calls to gather passwords. How it Works When users create a scan they only need to add one arbitrary target to the settings and set up a single credential (reference the two new credential types in the changes below). The credential simply allows communication and authentication between the scanner/sensor and the two CyberArk APIs (PVWA REST API and CCP/AIM Web Service REST API). First, we reach out to the PVWA REST API to gather bulk account details for accounts that meet criteria entered by the user within a ‘platform’ query field. We store this account data and automatically add targets/hosts to the scan. On a host-by-host basis, we request a password based on specific account details. If there are 100 targets added to the scan automatically, we make 100 password requests. As mentioned in the summary, this eliminates the need to make unnecessary requests to ‘try’ multiple credentials against a single target. Changes and Important Notes There is a new Database Credential for all Database Types called CyberArk Database Auto-Discovery Users only need to enter a single arbitrary target to the scan users only need to set up a single credential mentioned above, but can configure up to 5 if they choose to. The current CyberArk credential will remain unchanged and is still available for use Users will have to configure specific UI/backend properties (field) within their CyberArk instance for some of the database types. Some database types require more details for authentication like service (database name), service type, and authentication type). Specific guidance can be found in our Cyberark Integration Doc For more information please refer to our documentation pages. TVM: https://docs.tenable.com/integrations/CyberArk/vulnerability-management/Content/DynamicScannngIntro.htm Nessus: https://docs.tenable.com/integrations/CyberArk/Nessus/Content/DynamicScannngIntro.htm Impact to Existing Scan Policies There are no impacts to existing CyberArk credential configurations. Release Date TVM/Nessus: Tuesday September 5th 2023