PAM360 Release 4.5 (Security Hotfix) 4501 (16^th May 2020)

Security Fix

• An unauthenticated servlet vulnerability found in our internal framework that posed the risk of less-impactful entries getting inserted in the integration system configurations table, remotely, has been fixed.

PAM360 Release 4.5 (4500) (6^th May 2020)

New Features

• Expiry Notifications for SSL Certificates
  PAM360 now enables users to discover, import, and configure expiry notifications for SSL certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM).
• Self-signed Certificates Auto Renewal
  PAM360 now supports automated renewal of self-signed certificates along with Microsoft CA certificate renewal.
• SSL Certificate Deployment and Binding - IIS Server
  From now on, you can both deploy a certificate to the IIS server and also bind it to the desired website in the IIS, all from the PAM360 interface itself, without the need to access the IIS server separately. Also, an option has been provided to automatically restart the IIS server for the deployment and binding to take effect, thereby eliminating the need for the manual restart from the IIS end.
• Additional Fields PAM360 now brings you the 'Additional Fields' feature, configured from 'Admin >> SSH/SSL' that is used to include any additional information about SSH keys and SSL certificates, stored in the repository. There are four different categories to add the additional fields: character, numeric, date and email. Users can choose to add or remove the additional fields from SSH and SSL views.
• Column Chooser
  This version of PAM360 comes with the 'Column Chooser' feature that allows users to show or hide columns at runtime, and also rearrange the columns from the current view via drag-and-drop.
• Pretty Good Privacy (PGP) Keys
  PGP encryption is used to enhance cryptographic privacy and authentication for online communication by encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression, hashing, and public-key cryptography to boost confidentiality. Now, PAM360 brings you this PGP functionality in the form of PGP key generation, where the keys are used to encrypt the data like emails, texts, etc. Create, store and manage PGP keys under 'Admin >> SSH/SSL'. Modify the key description anytime, export private/public keys, export keys to multiple email ids, and generate, view, and schedule reports. You can also send expiry notification emails to admins. This feature allows you to share and collaborate information securely among your trusted groups of users and businesses.
• GlobalSign
  PAM360 now supports integration with GlobalSign SSL—a trusted Certificate Authority and a leading cloud-based PKI solutions provider. This integration enables users to request, acquire, import, deploy, renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by GlobalSign, directly from the PAM360 web interface.
• Certificate Deployment using Agent
  PAM360 can already deploy and bind certificates to IIS servers belonging to the domain, where PAM360 also resides. Now, PAM360 can also deploy certificates to IIS servers in demilitarized zones and also bind them to websites in IIS, all using an agent. This makes PAM360 more scalable, as it can deploy and bind certificates in IIS servers, irrespective of whether they are in the same or different domain.
• CSR Signing using Agent
  In addition to the already available two sign types, namely, 'MS Certificate Authority' and 'Sign with Root', used to sign certificates from PAM360, a third sign type 'MS Certificate Authority with Agent' has been introduced. This new sign type is mainly used to sign certificates originating from a distinct domain, i.e., other than the domain to which PAM360 belongs.
• Integrating with Ticketing Systems
  PAM360 now integrates with enterprise ticketing systems namely ServiceDesk Plus (on-premise) and ServiceNow. This integration ensures that automatic service requests are created in the ticketing environment to notify administrators of SSL certificates that are at the risk of expiring and certificates that are deemed vulnerable after a vulnerability scan in PAM360. Users can set notification policies to govern the frequency of service request creation for expiring and vulnerable tickets.

Enhancements

• PAM360 now provides additional insights on agent activity such as heartbeat interval, latest response time and operation performed.
• For scheduled SSL expiry tasks, users now have the option to choose whether or not, to receive email notifications when no certificates in that particular schedule are nearing expiration.
• PAM360 offers automatic bundling of individual private key (.key) files and certificate files (.cer/.pem) into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
• Two extra categories have been added to the criteria-based certificate group creation: AWS service and Certificate template.
• Now, it is possible to use the PAM360 service account credentials for authentication while deploying certificates in Windows servers.
• Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and minutes) to the certificates created, after which the certificate auto-expires. This eliminates the need for compulsory permanent access credentials to access target systems and also explicit access repeal.
• It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address combination.
• The option to filter certificates based on the key length and signature algorithm within specific expiry days has been added to the 'getAllSSLCertificates' Rest API.
• It is now possible to customize notifications and their intervals. Users can now choose not to receive notifications regarding the expired certificates, and send a separate email and customized subject per certificate, from 'Admin >> SSH/SSL >> Notification Settings'. The same actions can be done while creating new schedules under 'SSH/SSL >> Schedules >> Add Schedule', where you have to select the Schedule Type as 'SSL Expiry'.
• Earlier, PAM360 allowed signing and deployment of certificates only from Windows systems. Now, it is possible to perform certificate signing and deployment to Windows systems from Linux installations through agents.
• It is now possible to provide customized subjects in 'Schedules'.
• In RestAPI, the fetch details format is modified is such a way that the "details" attribute holds all the data. The following is the modified API list; GetCertificateDetails, getallsslcertificates, getAllSSLCertsExpiryDate, sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey, GetSSHKeysForUser and GetAllAssociatedUsers.

Bug Fixes

• Previously, certificate deployment failed if the field "Store Password" contained a space character while creating certificates from 'Certificates → Create'. This has now been fixed.
• Previously, when performing bulk operations, the "Create and Deploy" action failed when executed on SSH user groups, for RSA and DSA signature algorithms. This has now been fixed.
• Previously, when there was a "space" character present in a certificate group name, attempting to fetch the SSL certificates report pertaining to that group from the Reports tab threw the following error: "Invalid field format". This has now been fixed.
• Previously, even after the certificate private key was imported and attached to a certificate in PAM360' certificate repository, the "Export Keystore/PFX" was still disabled. This has now been fixed.
• During all AD-related operations performed from the PAM360 interface, the 'Connection Mode' got saved as 'No SSL' only, even if the 'SSL' mode was chosen. This issue has been fixed now.
• Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be supported by MSCA signing. During certificate creation, all values entered in the SAN field were all together categorized as 'DNS' only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
• When a set of resources is shared with a user(s) with varying access permissions, and when different access permission is granted for one of those resources, the access permission of all the other resources also got changed. This issue has been fixed now.

Security Fixes

• A SQL injection vulnerability identified in 'Audit Reports' has been fixed.
• A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the user input has been fixed.
• Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain optimal security.

PAM360 Release 4.1 (4101) (1^st April 2020)

Enhancement

• Just in Time (JIT) Privilege Elevation for Local Accounts
  Now, a PAM administrator can provide just-in-time (JIT) privilege elevation to Windows local accounts in PAM360 with short-term access to a sensitive application or a service, for a defined period, say 30 minutes. In other words, the administrator can use this feature to temporarily elevate an account's privilege to be a Windows Administrator or any other privileged user, and accomplish the required privileged functions. This is useful in scenarios where users do not need continual privilege access but only a temporary, on-demand privileged access to certain applications or tasks.

PAM360 Release 4.1 (4100) (3^rd February 2020)

New Features

• AWS EC2 Discovery
  This build comes with the option to discover AWS EC2 instances and their associated privileged accounts, in addition to the already available Windows, Linux, VMware and Network device discovery. Discover the AWS EC2 instances by providing the access key and secret key of AWS IAM users. Discover the privileged accounts associated with each AWS EC2 instance by providing the SSH private key (.pem) of the relevant instance at the time of discovery. You can also discover AWS EC2 instances from multiple regions.
• Integration with the Automation Anywhere RPA Tool
  ManageEngine PAM360 integrates with Automation Anywhere, Robotic Process Automation (RPA)-powered platform that automates software processes using bots. PAM360 renders a bot that helps you automatically fetch passwords from the PAM360 secure vault without manual intervention. This bot is capable of working in combination with other bots in Automation Anywhere to create a complete endpoint management workflow.

Enhancement

• Periodic Password Integrity Check
  For resource groups, an option is already available to check if the passwords stored in the PAM360 database are in sync with the passwords in the target devices. Now, a new option 'Periodic Integrity Check' is added that allows you to schedule tasks to run on a specific day/time, or at regular intervals of the specified day(s), or on a specific day of a month. The password integrity check will happen periodically based on the schedule set. Unlike the former option, you can use the new option to check the integrity of the passwords in the desired groups at your convenient schedules.

Bug Fixes

• During RDP sessions, it was not possible to copy texts using the keyboard shortcut 'Ctrl+C'. This was due to a breakage in the content security policy header enabled in PAM360 build 4000. This issue has been fixed.
• From build 4000, while updating LDAP details, LDAP users alone got removed from the user group. This issue is fixed now.
• From build 4000, SSH sessions did not get recorded when the option 'Enable splitting of SSH and Telnet session recordings into multiple files' was enabled under 'General Settings--> Miscellaneous'. This issue occurred in FQDN servers or when the DNS name contained IP address. This issue has been fixed.

PAM360 Release 4.0 (4002) (14^th January 2020)

Security Enhancement

Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally authenticated users. Now, as a security practice, we have exerted the following measures, applicable for installations under the 'Program Files' directory:

• No inherited permissions are allowed for data and configurations directories.
• "Authenticated Users" permission has been excluded entirely.
• Only the CREATOR OWNER, SYSTEM, Installation User, NT AUTHORITY\Network Service and Administrators groups will have the Full Control over the directories and also can start PostgreSQL.

PAM360 Release 4.0 (4001) (13^th November 2019)

New Features

• Integration with DigiCert SSL

  PAM360 integrates with DigiCert—a leading TLS/SSL, IoT and various other PKI solutions provider. Users can request, acquire, create, deploy, renew and automate the end-to-end management of SSL/TLS certificates issued by DigiCert, all directly from the PAM360 portal.

• CSR Templates

  It is now possible to create and use predefined templates for CSR (Certificate Signing Request) generation from PAM360.

• Option to Exclude Certificates

  Users can now choose to ignore certain certificates during the SSL discovery or manual addition of certificates into the PAM360 repository. A new option is added under 'Admin >> SSH/SSL >> Exclude Certificate', which you can utilize to add the certificates to be excluded, by specifying their Common Name and Serial Number.

• Support for RFC2136 DNS Updates

  PAM360 now supports RFC2136 DNS updates to complete domain control validation while acquiring certificates from public certificate authorities (CAs).

• Support for Browser Extensions

  From build 4001, support is enabled for browser extensions (Chrome and Firefox), which allows you auto-fill passwords to websites and web applications, and set up Auto-Logon gateway to launch RDP and SSH sessions. Additionally, the add-on allows you to view all passwords, resource groups, favorites, etc., and access existing passwords and add new ones - all into a single platform accessible through a central console.
• Option to modify the email id of the Let's Encrypt account, used by Let's Encrypt to send email alerts of expiring certificates.

Enhancements

• From the PAM360 build 4001, an option is provided for Linux resource types that users can opt to force map SSH keys to user accounts, even if the target systems are not reachable.
• Users can now use PAM360 to sign CSRs (either using your internal Microsoft CA or a root certificate) as and when they are generated.
• PAM360 now supports file-based discovery for scheduled SSH and SSL discovery tasks.
• A new dashboard widget to provide data about SSL configuration vulnerabilities has been added.
• Support is enabled for the discovery of SSH keys with ECDSA and ED25519 signature algorithms.
• A new REST API to view the private key passphrase of SSL certificates has been added.

Bug Fix

In PAM360 build 4000, while trying to integrate with ServiceDesk Plus, the "Invalid API key" error was encountered. This issue has been fixed in this build.