The Symantec Privileged Access Management (PAM) is susceptible to a privilege escalation vulnerability. A malicious PAM unauthorized user can access the PAM configuration endpoints with the read and write permissions when multi-factor authentication (MFA) is enabled, which they might not otherwise be authorized to access.
Note that this only affects MFA authentication methods configured in PAM, such as LDAP+RSA or LDAP+RADIUS. Single-factor authentications such as Local or LDAP are not affected. Neither is SAML authentication. Even if the SAML IdP uses MFA, from the PAM view it's still a single-factor SAML request/response authentication.
Affected Releases: 3.4.0-3.4.6, 4.0.0-4.0.3, 4.1.0
Security Advisory Privilege Escalation Vulnerability in PAM 4.1
Privilege Elevation could occur during the MFA authentication process, after the first set of credentials were provided and before MFA completed. Once the authentication is complete, privileges are processed correctly.
If you have any MFA authentication configured in PAM, or plan to do so in the near future, download and apply the hotfix for you PAM server release from the PAM Solutions and Patches page, under section CVE-2022-25625 Vulnerability Hotfixes. These hotfixes can be applied to an active cluster one node at a time, but require a server reboot. Applying the patch will disrupt user sessions on the node. Make sure the patched node is back up and in sync before applying the patch to the next node. Apply the patch on the replication leader, typically the first node in the primary site, last.
Detailed installation instructions are found on the PAM hotfix documentation pages. Start with the 4.1.0 Hotfixes page and navigate to the hotfix that matches your PAM release.
PAM 4.1 customers should apply Hotfix 18.104.22.168.
PAM 4.0.3 customers should apply Hotfix 4.0.3.01.
PAM 4.0.2 customers should apply Hotfix 4.0.2.04.
PAM 4.0.1 customers should apply Hotfix 22.214.171.124.
PAM 4.0 customers should apply Hotfix 4.0.0.05.
PAM 3.4.6 customers should apply Hotfix 3.4.6.05.
PAM 3.4.0-3.4.5 can upgrade to a newer release and apply a corresponding hotfix.
Patch included in the out of the box PAM 4.1.1