Bypass Record

Valid Accounts × Tripwire Enterprise 9.1.0

A publicly-reported instance of Valid Accounts bypassing Tripwire Enterprise 9.1.0, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Tripwire Enterprise 9.1.0

Technique

Valid Accounts

MITRE ATT&CK

T1078

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-06-03

Config / version noted

Yes

Provenance

www.sentinelone.com
disclosed 2024-06-03 · original source · via exa

Reported as

CVE-2024-4332 is an authentication bypass vulnerability in Tripwire Enterprise 9.1.0 REST and SOAP APIs

Mechanism

The vulnerability (CWE-303) exists in the API authentication flow when LDAP/AD SAML authentication is combined with the 'Auto-synchronize LDAP Users, Roles, and Groups' feature. The authentication validation logic fails to properly verify credentials, allowing requests with a known username to bypass authentication and access protected API endpoints.

Detection & mitigation

Monitor Tripwire Enterprise API access logs for successful authentications from unusual IPs, at odd hours, or without corresponding multi-factor events. Mitigate by applying the vendor patch, disabling auto-synchronization if not needed, and enforcing network segmentation to limit API exposure.

Valid Accounts has also been recorded against

CrowdStrike Microsoft SK Shieldus SOCFortress

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.