CVE-2024-39708: 
Delinea Thycotic Agent vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2024-39708) was discovered in Delinea Privilege Manager (formerly Thycotic Privilege Manager) versions before 12.0.1096 on Windows. The vulnerability allows a non-administrator user to copy a crafted DLL file to a temporary directory used by .NET Shadow Copies, which can lead to privilege escalation if the core agent service loads that file (NVD, CyberArk).

The vulnerability exists due to a DLL search order hijacking issue in the agent service. When the service starts, it attempts to load httpapi.dll from multiple locations, including a temporary directory (C:\Windows\Temp\Arellia\AmsAgent\Cache\ArelliaAgent\assembly\dl3\7f9cbee9\00bbcf35_70d5d901) that inherits Windows' default permissions allowing unprivileged users to write files. This allows attackers to plant a malicious httpapi.dll that gets loaded when the service restarts. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (High) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (CyberArk).

Successful exploitation of this vulnerability allows an unprivileged user to execute arbitrary code with SYSTEM privileges, effectively gaining complete control over the affected system (CyberArk).

The vulnerability has been fixed in Delinea Privilege Manager version 12.0.1096. Organizations should upgrade to this version or later to prevent exploitation. The fix modifies the core agent service to no longer use .NET Shadow Copies behavior, eliminating the security risk associated with temporary directory permissions (Delinea).

The vulnerability was discovered by CyberArk's Red Team during a customer engagement and was responsibly disclosed to Delinea. The disclosure timeline shows that Delinea responded promptly to the report and worked to develop and release a fix within approximately one month (CyberArk).