Delinea Documentation - Privilege Manager - 11.4.x

11.4.0 Release Notes

Release Schedule

• Privilege Manager Cloud Release – Saturday, February 18th, 2023
• Privilege Manager On-prem Release – Tuesday, March 7th, 2023
• Windows Agent 11.4.1030 - Tuesday, March 14, 2023

Note: When upgrading Privilege Manager to a newer version, Delinea recommends upgrading the Directory Services agent such that both are running on the same release version.

Disclaimer

This issue is not a Delinea issue and the information provided here is being provided as a courtesy.

Problem

After applying the February 14, 2023 Microsoft update KB5022842 (OS Build 20348.1547) on a Virtualized Windows Server 2022 with Secure Boot Enabled and rebooting the server a second time, the machine might crash and not start up. This issue is reproducible without any Delinea products installed on the Windows Server 2022 system.

Cause

Microsoft and VMWare are currently looking into the root cause of the system crash.

The issue arises on the second reboot after installing Microsoft update KB5022842 on Windows Server 2022 running on VMWare vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

Resolution

Refer to the following VMWare article for further information and for steps on how to mitigate/resolve the issue:

Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947) (vmware.com).

Note: Delinea recommends as a best practice to create system restore points prior to doing system changes such as patches.

Privilege Manager Windows Agent Security Update

A local privilege escalation vulnerability that could be exploited to allow access and/or modification of highly privileged system-level folders and files. This impacts all versions of Privilege Manager Agent on Microsoft Windows before v 11.4.1030. This issue is rated High with an 7.8 Common Vulnerability Scoring System (CVSS) score. Please see the CVSS Calculator for details.

Acknowledgement: Delinea would like to acknowledge Danish Cyber Defence, and Johannes Hatting - IT-Security Specialist, for their role in identifying this vulnerability, and working with our team in its expedited resolution.

Enhancements

• A new setting, Include Built-In Administrator Account, allows the built-in administrator account to control services when using a Restrict Account Permissions on Agent Services (Windows) policy.
• The Privilege Manager Login screen now returns a generic error containing a unique correlation ID when the login attempt has failed. You can search the correlation ID in the Privilege Manager server logs for additional information and reason for the failure.
• Agent Registration performance improvements were made to the database.
• Windows 11 and Windows Server 2022 have been added to Agent Summary reports.
• Additional IPs have been added to the list of supported IPs for Privilege Manager Cloud. See Privilege Manager Multi-Tenant Cloud Architecture.
• Added the ability to elevate/restrict fully-trusted UWP (Windows Store) Apps like Windows Terminal (Windows 10+) and Notepad (Windows 11+).
• In order to prevent unauthorized systems from sending data to a syslog/SEIM system, users can now use client certificate authentication.

Bug Fixes

• Unacknowledged events are no longer cleared from the Notification page when a Purge Old Computers task is run.
• You no longer need to resave User Context filters after importing changes to the membership of a related Azure AD group.
• Fixed an issue that prevented the Privilege Manager agent from provisioning users and groups that had the same name as a user or group in the domain they were attached to.
• The Server no longer sends expired Arellia Certificates to the endpoints.
• Several instances where multiple rows were returned for the same user or group have been fixed.
• The Import Directory OU task has been updated with required parameters and no longer produces an error.
• Users logged into Privilege Manager Server with Azure AD login credentials are now redirected to the correct page to re-authenticate after logging out or a session timeout.
• Duplicating file hash filters (Windows and MacOS) that specify a list of hash algorithms works properly now.
• Selecting an Azure AD group for user context filters no longer results in warnings in the agent logs.
• Previously, launching an uninstaller from the Apps and Features, using an elevation policy, would not work because of the restricted token of that Settings app. We've fixed our elevation to handle this case.
• Tasks are cleared from Task Scheduler when the Delinea Agent is uninstalled.
• Referencing Jamf Computer Groups now works the same as other foreign collections.
• Computer names will now be displayed in full across the Privilege Manager Server console. Previously, this was restricted to 16 characters.
• Environments with a large amount of services are supported when selecting services for a scheduled job.
• Unique names are now required for roles. When creating a role, the Role account name is used to generate the default Display Name and Account Name. Additional fields have been added to the Role details page, where you can now modify the Display Name and Description, along with the pre-existing Membership option.
• Selecting all approval requests on the Manage Approvals page now selects just the visible displayed requests.
• The Policy Events report no longer displays an error when a Date\Time filter is defined and a browser refresh is initiated.
• Fixed an issue where some applications with specific version data would cause an invalid XML character error.
• ThycoticOne users can be deleted from Privilege Manager. Existing ThycoticOne users will need to be manually edited to remove the NoDelete attribute via the XML editor.
• Fixed an issue where some sample policies were not being updated to the latest configuration.
• Fixed an issue in previous versions that caused the Service Bus web application to shut down due to inactivity, resulting in the mobile app to no longer functions.
• Fixed an issue where the mobile app could not be used with a user unless that user was directly assigned to a role (indirect through a group would not work).

Agent Specific

Windows

• An issue that caused the agent to be unable to register the Request Run As Administrator context menu extension for the .ps1 file type for Windows 11 is fixed. Registry keys and values are now used to perform the context menu extension registration on Windows 11 systems when creating system file associations.
• The 11.4.0 Windows Agent fixes a memory leak caused by the Parent Process filter.
• Built-in user accounts can now have an initial random password generated when they are managed, using the new Windows agent. Previously, the password generation process on the agent workstation would error if a user attempted to manage a built-in user and set an initial random password.
• Windows Scheduled Jobs configured with a Local Security Delete Command now correctly processes the users and groups.
• Updated the Windows Agent to support files with a path name longer than MAX_PATH characters.
• Fixed consistency issues with updated XAML messages for Windows Actions. When editing custom XAML messages, text is correctly saved.
• For HTML message actions that contain multiple messaging sections, the HTML editor is no longer enabled, in order to preserve the HTML structure. You will still be able to edit the content of the HTML messages through the Item XML editor, if needed.
• Fixed an undersize buffer problem, error handling problem, and data scrubbing problem that caused the ArelliaACSvc.exe process to terminate due to an unhandled exception.

macOS

• Policies that allow command line binaries to run elevated via the sudo command should contain a Run as Root action. This allows them to be distinguished from policies to monitor the execution of command-line binaries. A Run As Root action is required, even if that action does not perform any action in the policy.

  Note: With this release, this requirement is strictly enforced. Review any such existing policies and add a Run as Root action if needed.

• The Elevate Privilege Manager Agent Preference Pane (Sample) and associated System Preference filter have been updated to support the opening of the Privilege Manager Preference pane on Catalina and later versions of MacOS, this also includes Ventura. The System Preference filter has been renamed to Privilege Manager Preference Pane (MacOs) the description and file name definitions have also been updated. If the sample policy is enabled, post upgrade the Agents will need to refresh their policies before the extended functionality will enabled.
• Managed user/groups or password rotation policies for macOS endpoints with a weekly update schedule that included “Tuesday" would display as “Unknown" on the endpoint and would not be executed as intended. This has been fixed.
• Creating a duplicate Application Approval Request (with ServiceNow Request Item Number) Message Action no longer displays incorrectly on the MacOS Agent.
• The Energy Saver, Battery, Lock Screen, Date & Time, and Network Preference Panes in macOS Ventura are now supported. Lock Screen is new in macOS Ventura. Refer to System Preferences documentation for more information.