Secret Server: 11.0.000007 Release Notes
Release date:
- September 7, 2021 (on-premises only)
- September 11, 2021 (Cloud: US)
- PM agents will not register.
- When a PM agent updates itself (using the agent utility), it states that there are zero policies to download.
Secret Server 11.1.000007 Security Update
This release addresses a security issue that was recently discovered during third-party penetration testing. The security issue is rated High severity on the standard CVSS scale and impacts all previous versions of Secret Server On-Premise. It impacts Secret Server10.9.000032 to 11.0.000006. We recommend all affected Secret Server on-premise customers upgrade immediately to version 11.0.000007.
It does not impact Secret Server Cloud and there were no version updates to Secret Server Cloud.
CVSS Summary:
NTLM Hash Leak:
Short Description: A highly privileged user on the same network as Secret Server could potentially cause an unauthorized NTLM hash leak. The vulnerability is given a score of 7.4 by CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H.
Known Issues
Connection Manager Version 1.6.2 Required for Customers Using Secret Server 11.0
Details:
-
Intermittent Issue: On a macOS, when run in protocol handler mode, copy and paste does not work. The app does not crash but the copy and paste action is not successful. If the app is “unlocked,” copy, cut, and paste work. For your Secret Server connection to “unlock” it, expand the left navigation panel, and double click on the “lock” icon.
-
Intermittent Issue On a macOS, while connected to any Secret Server, if the user edits the same Secret Server name (via the Secret Server connections menu), the app could get stuck in a “connecting…” state.
-
Intermittent Issue: On a macOS, some users may experience issues connecting to Secret Server via a Web login (SAML) where the connection stays in a “connecting…” state.
-
Upgrade Issues: In some situations, the automatic upgrade may not run the installer after downloading the MSI or package files. On macOS, when upgrading from v1.6.0, the automatic update fails to launch the installer. On Windows, the auto update may not launch the installer. In that case, please download and run the installer manually or via a software deployment tool.
Installer download links:
New Features and Enhancements
API
Secrets are now searchable by the full path. This removes the need to know the ID to locate the intended secret.
Encrypted Secret Export
Secret Server now allows you to schedule encrypted exports of secret data to external storage.
General
- Updated ESXi integration support via an update of PowerCLI 12.
- Updated PuTTY to version .074.
- Added SNC support for communication between SAP and Secret Server for heartbeat and remote password changing.
- Added support for metadata filters on event pipelines.
- Added the ability to intercept a sudo or su command in a proxied session and inject the session password directly from Secret Server, not disclosing the password to the user.
- Added support for displaying both username and display name in audit logs.
- Added SMB fallback support for local Windows account heartbeats.
- Added a discovery threshold configuration that controls when a dependency is deactivated if it is not found in a scan. The threshold is set to the times a dependency can be missing prior to deactivation. It can also be set to "never" to prevent deactivation.
Inbox
The inbox now provides a customizable toolset to manage how email and notifications are sent and received by users. Inbox allows for configuration of notification scheduling, collecting notifications into digests, creation of message templates and rules, and more.
Lists
Secrets now support configurable data lists. Users with the "apply lists to secrets via secret policies" permission can create a list. This provides an easy mechanism for secret owners to simply choose from provided lists, such as a list of machines the user can select. Additionally, lists can be used for allow and blocklists allowing for control over what the secret owner can access.
Proxy Generic Connections
Secret Server can now securely tunnel a connection to servers operating on a variety of protocols.
Secret Erase
Users with the permissions to use the secret erase feature can permanently erase data from a secret. This provides Secret Server a method to purge secret data without reconciliation of the erased data. The existing "delete" function (now called "deactivate") allows you to "undelete" (reactivate). Secret erase can be audited as an event.
SSH Key Discovery
Secret Server discovery can now discover SSH public keys by scanning key locations on Linux and Unix servers.
User Interface
-
Added dependency status reports. The reports are:
- Overview: Shows how many dependencies failed, succeeded, and were not run.
- Status: Shows how many dependencies failed, succeeded, and were not run by clickable secret, secret dependency group, and site.
- Failed by secret: Shows doughnut graphic with secret and fail count.
- Not run by secret: Shows the not run count by secret.
- Renamed the "Viewing Password Requires Edit" setting to "Hide Launcher Password" in the secret policies editor to improve clarity.
Bug Fixes
Note: The same line item may appear in more than one section when it applies to both.
Access Requests and Secret Workflows
- Fixed an issue where the "Revoke" button was being displayed in the UI after a request had already expired. The button should not be available to users past expiration.
- Fixed an issue where a "No Permission" page is displayed incorrectly when checking-in a secret with "change on check-in" enabled.
Alerts, Events, and Logging
- Fixed an issue where if the browser is set to a non-English language, a failed login attempt causes invalid system logging. The fix changes the character type from text to nvchar to produce successful logging entries. For this data type conversion, we recommend that customers with lots of data may want to run the SQL delta ahead of an upgrade to prevent potential SQL timeouts during upgrade.
API
- Fixed an issue where API was returning null for createDate on SecretSummary queries.
- Fixed an issue that resulted in receiving a 500 error when using the REST API to enable check-in on a secret using the PATCH method /secrets/{id}/security-checkout.
- Fixed an issue where the REST API was returning "Object reference not set to an instance of an object." against the /directory-services/domains/{domainid}/group.
- Fixed an issue for the API endpoint, workflow, or template throwing an exception when the take parameter was not specified.
- Fixed a POST issue in secret-templates REST endpoint that did not properly validate the editablePermission property on fields.
- Fixed an issue where a secret policy which enforces 'View Password Requires Edit' prevents API access to the view the password.
Authentication, Login, and Directory Services
- Fixed an issue with post authentication for SAML.
- Fixed an issue where if the browser is set to a non-English language, a failed login attempt causes invalid system logging. The fix changes the character type from text to nvchar to produce successful logging entries. For this data type conversion, we recommend that customers with lots of data may want to run the SQL delta ahead of an upgrade to prevent potential SQL timeouts during upgrade.
- Fixed an issue where when a distributed engine was used as a proxy server the SSH terminal gave an invalid error during authentication for public keys.
- Fixed an issue where occasionally users that synced via Active Directory were not getting assigned default role(s).
- Fixed an issue with Active Directory synchronization throwing a credential validation error when the sync credentials are from another domain after creating relationship between domains.
- Added a notice in the UI for directory services group sync search results being limited to 1000 groups.
- Fixed an issue where Active Directory group names were showing with their pre-Windows 2000 name instead of the group name.
- Fixed an issue where Secret Server Cloud users were presented with a misleading tooltip for user synchronization interval options in directory services configuration. An improved tooltip has been provided to inform the user the limitations of the configuration more accurately in Secret Server Cloud.
Discovery
- Fixed an issue in discovery when using LDAPS where discovery attempts to use port 389 despite the user having selected LDAPS port 636.
- Fixed an issue with saving IP addresses additions to the manual host range within the discovery scanner. A message is now provided to inform the user that the manual host ranges should be set on the discovery source scanner, rather than as a default setting on the scanner itself.
- Fixed an issue that could occasionally cause dependencies to get disabled by a computer discovery scan.
- Fixed a discovery issue that could cause background processes to stop.
- Fixed an issue where discovery was retaining too many historical records for each host. We added an advanced configuration setting to define the number of records.
- Fixed a discovery issue where when the discoverysourceid was equal to 9 or 10, after the domain scan completed to get machines, the Service Account tab in the UI would not load re-scan buttons.
- Fixed an issue where the schedule task scanner did not work for the domain discovery source with two UPNs.
- Fixed an issue with discovery for scheduled task scanning across multiple trusted domains.
- Fixed a discovery issue where similar OU names resulted in discovery importing accounts from an OU with a similar name to the targeted OU.
Event Subscriptions and Pipelines
- Fixed an issue that could be encountered with event subscriptions after converting a secret's template. An improved message is now provided in the UI when converting secret templates to inform the user what actions needs to take place to prevent the issue.
- Fixed an issue with event pipelines receiving an application error when trying to add tasks in a policy if the policy has a deactivated pipeline.
- Fixed an event subscriptions issue of not initiating for engine events.
Folders
- Fixed an issue when editing folder permissions and receiving no search results for groups that contained a '+' in the group name.
- Fixed an issue that prevented the ability to sort folders by alphabetical order on name in the Favorites tab.
- Fixed an issue where the folder name may not display in the secret grid.
- Fixed an issue where right clicking secret folders in the UI did not have the "View Details" option available for users with view permissions.
- Fixed an issue where editing folder sharing permissions removed restricted template options in the new UI.
- Fixed an issue that caused an application error when changing a folder's secret permissions to "none."
General
- Fixed an issue that caused a 500 error if certain password sequences were used when password validation settings were enabled to prevent password sequences.
- Fixed an issue that prevented content deletion in metadata fields.
- Fixed an issue where pressing enter on the keyboard when using the main application search box did not display results in the secret grid but only in the dropdown.
- Fixed an issue where the "Copy to Clipboard" button was not appearing on fields that contained a character count beyond the max field character display.
- Fixed an issue where the "Options" menu on pages is automatically hidden in the UI if no options are present to display to the user.
- Fixed an issue where sessions created through the Secret Server terminal "Launch" command were not getting returned by session search when filtering by secret name, secret field value, or user.
- Fixed an issue where on the home page engine status widget was not displaying the correct status in the "Connection Status 1" column. In the fix, this column has been renamed to 'Activation Status'.
- Fixed an invalid audit message entry when a user initiates "Change Password Now" using the "Randomly Generated" option.
- Fixed an issue where changing the name of a launcher did not update the name of the launcher on the secret.
- Fixed a mouseover label on "RADIUS User Name" on the Users page. Mouseover tooltip now displays "The user name of your RADIUS user."
- Fixed an issue with password requirement validation. When a password policy specified that the username must not be included in the password, the validation was too aggressive. Now at least three consecutive characters in the password must match a section of the username for a password to be rejected.
- Fixed an issue that caused locks to hang in tbDatabaseCache.
- Fixed an issue where an account is not being used as a "Privileged Secrets for Scripts" when importing for discovery for RPC and heartbeat.
- Fixed an issue where RDP proxy may experience intermittent connectivity when using the Mac version of Connection Manager.
- Fixed an issue causing Secret Server-BWSR errors from UDP Syslog datagrams exceeding RFC3164/5424 specifications. Note that TCP or SecureTCP, is preferred over UDP for reliability purposes.
- Fixed an issue when editing the default password requirement when using a language other than English. It set the default to false.
- Fixed an issue when syncing AzureAD where deleting a sync group in AzureAD would result in members of all groups being synchronized.
Heartbeat, Distributed Engines, and RPC
-
Fixed an issue that resulted in a "Phantom.JS.exe not found" error when trying to run a heartbeat on a Web password with a distributed engine.
-
Fixed an issue where password changing for secrets was not being triggered after a forced check-in.
-
Fixed an issue when creating custom dependencies that produced an invalid error when adding a parent field of 'Machine.'
-
Fixed an issue when setting the auto change schedule on a secret policy to monthly that caused a UI issue that prevented viewing the Remote Password Changing tab.
-
Fixed an issue where a "Last Heartbeat Status" error was displayed in the UI that indicated the user's Web browser stopped polling the server. An improved error message is provided in cases where polling timeout still occurs.
-
Fixed an issue with password changing for SAP secrets that caused failures at password change due to an issue with the check-in.
For SAP servers where rfc/reject_expired_passwd = 1, a new option was added to the Advanced Settings in the SAP password changer. This new option, "Use Single Destination (SAP)" is false by default, but, when set to true, it allows privileged password changing to succeed on these servers by using the privileged credentials in both steps of the privileged password change.
For servers where rfc/reject_expired_passwd = 0, this option may be set to true or false and password changing will succeed.
-
Fixed an issue where previously inactive custom scripts were still displayed as available for RPC.
-
Fixed an issue where a secret policy which enforces 'View Password Requires Edit' prevents API access to the view the password.
-
Fixed an issue that displayed the distributed engine count incorrectly based on previously deleted distributed engines.
-
Fixed an issue that could prevent the privileged account password from changing by a distributed engine if a child secret were deleted while it was being processed for RPC.
-
Fixed an issue preventing a scheduled password change if the secret template expiration is disabled.
-
Fixed an issue producing an error during a distributed engine install when the hostname was more than 50 characters.
-
Fixed an issue for the ODBC password changer with verification opening the connection but not executing custom commands. The fix allows for: CheckFor, CheckContains, and CheckNotContains to be used in custom commands. Additional logging has also been added when verbose logging is enabled.
-
Fixed an issue with RPC on scheduled tasks that have a secret ID on a different trusted domain.
-
Fixed an issue where the distributed engine automatic upgrade would fail if the OS account HKU{GUID} entry does not have permission to stop the distributed engine service.
Installation, Upgrade, and Uninstall
- Fixed an issue where ThycoticSetup.exe failed to install SQL Express when selected for the installation.
- Fixed an issue producing an error during a distributed engine install when the hostname was more than 50 characters.
Launchers
Fixed an issue with SAP launcher where record "Additional Processes" stops recording if it was opened from another process within "Process Arguments" and that process is closed.
Reports
Fixed an issue where duplicate report emails were received when a report schedule was not removed after a report with the same name was deleted. The fix does not allow two active reports to have the same report name when creating or updating a report.
Secret Server Cloud
- Fixed an issue where Secret Server Cloud users were presented with a misleading tooltip for user synchronization interval options in directory services configuration. An improved tooltip has been provided to inform the user the limitations of the configuration more accurately in Secret Server Cloud.
- Fixed an issue in Secret Server Cloud where personal folders were not being created for new users created through Delinea One.
- Fixed an issue for Secret Server Cloud where after entering the PIN for Duo and attempting login, Secret Server would activate the Duo Push button in the UI, rather than proceeding with the login.
Secrets, Policies, and Templates
- Fixed an issue by adding more robust permission checks to determine when template conversion options should be available to users, rather than displaying generic access denied errors when users attempted making conversions on a template without the right user roles.
- Fixed an issue by providing additional detail in a warning message to alert the users when duplicating templates that changes must be applied to all secrets intended to use the new template.
- Fixed an issue when setting the auto change schedule on a secret policy to monthly that caused a UI issue that prevented viewing the Remote Password Changing tab.
- Fixed an issue that prevented record retrieval on secret permissions if the application account has owner permissions at the secret level. Now, if you have view access to the secret in the filter you can retrieve the permissions. Queries that do not have secret ID still require the secret owner.
- Fixed an issue where a secret template with a duplicate name in fields would cause a failure when exported, due to the field name match. We recommend using an available slug on the XML for handling fields which have the same name.
- Fixed an issue in the UI when searching of the secrets grid where the search text box covered the first result in the grid.
- Fixed and improved reference labeling to secrets when a secret template changes on deleted secrets. A (deleted) reference is added to secrets used in a secret policy that have been deleted. Added a note to let the user know that deleted secrets are included in the secret count.
- Fixed an issue preventing a scheduled password change if the secret template expiration is disabled.
- Fixed an issue preventing applying a secret policy without access to the required privileged account. Users can now assign a new role that allows users with "list" permissions on the secret to pass the secret access permissions check for privileged and associated secrets when the privileged or associated secrets are enforced by secret policy.
Session Recording
- Fixed an issue causing Session Recording failures to record multiple sessions to the same target with MobaXTerm.
- Fixed an issue where older session recording keystroke logs were not deleted after the configured retention period. Session recording using SSH or RDP Proxy to capture keystroke metadata was not running the cleanup job after the data retention period expired.
- Fixed an issue where searching for recorded sessions could produce an execution timeout error.
- Fixed an issue with the SAP launcher only recording part of the screen.
SSH Proxy and Terminal
- Fixed an issue where SSH proxy sessions via SSH terminal would close within approximately five minutes after launch.
- Fixed an issue where when a distributed engine was used as a proxy server the SSH terminal gave an invalid error during authentication for public keys.
- Fixed an issue when launching SSH secrets via SSH terminal that have 'check out' and 'change on check in' enabled. When exiting the launched session, the secret does not check in.
- Fixed an issue with proxied SSH custom launchers using a "Connect As" secret failing to launch successfully.
- Fixed an issue using private ECDSA SSH keys generated in the OpenSSH format that produced an error when uploading the key on a SSH key template.
- Fixed an issue that caused premature closure of proxied SSH processes when opening multiple sessions of MobaXterm.
- Fixed an issue where the SSH proxy tunnel would not take $password from Xshell client on a custom launcher.
- Fixed an issue where the supported SSH key exchange algorithms would fail to negotiate (ecdh-sha2-nistp256, ecdh-sha2-nistp384, and ecdh-sha2-nistp521).
- Fixed an issue where the keyboard did not operate for users on SSH RDP PuTTY sessions via proxy.
Users and Groups
Fixed an issue with the "Users Migrate to AD" function producing an invalid error when canceling.
Web Password Filler
Fixed an issue where Web Password Filler did not prompt token generation for users on Windows 10 version 20H2.
Fixes made since Early Adopter Version 11.0.000000
- Fixed a critical, CVSS 9.9, security issue. It impacts Secret Server 10.9.000032 to 11.0.000006. See the important note at the top of these release notes.
- Fixed an issue with secret access requests not allowing the administrator to approve via the inbox.
- Fixed an issue where SSH blocklist caused user keystrokes to be echoed back in the session.
- Fixed an issue with SSH blocklist that caused all su sessions to quit when issuing an exit command.
- Fixed an issue with SSH blocklist where the control-c input does not quit running the program when SSH blocklist is enabled.
- Fixed an issue with SSH blocklist where ESC input on a session with SSH blocklist terminates the session.
- Fixed an issue with SSH blocklist where all su sessions terminate when issuing an exit command.
- Fixed an issue with the lists feature where a user with own or edit permission on a secret were not given access to add or remove lists.
- Fixed date parsing logic for license dates. License dates are in U.S. date format, but default parsing logic uses local-server time-format settings to parse the date and could fail if the expected format is in a different order, for example, in the U.K. where the format is dd/mm/yyyy instead of mm/dd/yyyy. We forced the parser to use the U.S. date format.
Pending Deprecations
This section describes planned feature or platform-support deprecations in Secret Server.
- Internet Explorer 11. Support for Internet Explorer 11 ends on 31 August 2021. Secret Server releases after that date will not support Internet Explorer 11.
- Secret Server Classic UI. The Classic UI option in Secret Server is scheduled to be removed in Q1 2022. After that time, the New UI will be the only available UI option in Secret Server.