Insecure renegotiation in SSL protocol caused Denial of service attack in Privileged Account Manager

Vulnerability

CVE-2020-11862 is an Allocation of Resources Without Limits or Throttling vulnerability in OpenText NetIQ Privileged Account Manager (PAM). The issue affects all versions of NetIQ PAM before 3.7.0.2, on Linux, Windows, and 64-bit platforms. The vulnerability resides in a component where resource allocation lacks appropriate limits or throttling, allowing an attacker to exhaust system resources by triggering uncontrolled resource consumption.

Exploitation

An attacker does not require authentication to exploit this vulnerability; they can send specially crafted requests from a network position that is reachable to the affected PAM service. While no detailed exploit sequence is provided in references, the vulnerability class (flooding) indicates that repeated or sustained requests can cause the system to allocate resources without bound, leading to exhaustion.

Impact

Successful exploitation leads to a denial of service (DoS) condition. The attacker can cause the service to become unresponsive due to resource exhaustion, affecting availability. There is no indication of data confidentiality or integrity compromise; the primary impact is on system availability.

Mitigation

The vulnerability is fixed in version NetIQ Privileged Account Manager 3.7.0.2 (3.7 Patch Update 2), released in September 2020 per the release notes [1]. Users should upgrade to version 3.7.0.2 or later. No workarounds are documented in available references. If upgrade is not immediately possible, organizations may consider network-level restrictions to limit exposure to potentially malicious traffic.