ManageEngine named a Challenger in the 2023 Gartner ® Magic Quadrant ™ for Privileged Access Management. Read full report.
Bug Fixes
We have addressed and resolved two significant issues in build 7001:
Security Fix
An SQL injection vulnerability (CVE-2024-5546) that would have allowed any authenticated user to access the database has been identified and resolved.
New Features
Kubernetes Integration for TLS Secrets
PAM360 now integrates with Kubernetes (K8s) - an open-source platform that automates containerized application deployment, scaling, and secrets management. Kubernetes secrets, a feature provided by the Kubernetes platform, facilitates a secure way of storing Kubernetes TLS secrets (certificates) within Kubernetes clusters.
The integration aids administrators in securely fetching the Kubernetes TLS secrets (certificates) into PAM360, managing them within the single centralized repository, and rotating/updating the secrets obtained from multiple Kubernetes clusters.
To configure and manage all your Kubernetes TLS secrets (certificates) via PAM360, navigate to 'Certificates >> Kubernetes' in the PAM360 console.
Private Certificate Authority (CA) / Intermediate CA
PAM360 now offers a new feature, Private CA (Intermediate CA), that allows organizations to create and manage their certificates internally. Selected users can sign the end-user certificates for internal servers, applications, and services using the intermediate certificate, signed using the root certificate.
With this feature, organizations can:
Azure Key Vault - TLS Secrets Management
PAM360 now allows users to manage the TLS secrets stored in the Secrets of Microsoft Azure Key Vault - a management service offered by Microsoft. Through this integration, users can create (PFX format), renew, and manage the entire lifecycle of SSL/TLS certificates stored in the Secrets of Azure Key Vault via PAM360 by importing them into the PAM360 repository.
Configurable ACME
PAM360 supports adding ACME providers for the effective automation of certificate lifecycle management. Just like its integration with renowned certificate authorities such as Let's Encrypt, Buypass Go SSL, and ZeroSSL, which offers automated SSL/TLS certificate management, PAM360 now has the flexibility to incorporate other ACME service providers, thus empowering efficient certificate management with the automated precision. To explore more about the configurable ACME, navigate to 'Admin >> SSL Certificates >> ACME Providers'.
Enhancements
Microsoft Entra ID Integration
PAM360 now offers enhanced functionality for importing users from Microsoft Entra ID, including the ability to:
Additionally, the Role, Language, and Two-Factor Authentication information is now displayed on the 'Microsoft Entra ID Synchronization Schedules' page, allowing administrators to:
LDAP Integration
PAM360 has improved its LDAP integration user-import capabilities, enabling administrators to:
These enhancements are reflected on the LDAP Server Configuration page, where administrators can now:
Note: For both Microsoft Entra ID and LDAP, configurations applied during the initial import will be retained in subsequent schedules unless modified.
Bug Fixes
Security Fixes
Enhancement
PAM360 now supports SSH proxy for the native PAM360 Remote Connect application. For more details, refer to the Remote Connect release notes.
Behavioral Change
We have limited the SFTP download size to 6GB due to performance issues with large downloads in user environments. Please contact our support team for more information on customizing the download limit.
Bug Fixes
New Feature
PAM360 SDKIntroducing the latest addition to our PAM360 suite: the PAM360 Software Development Kit (SDK). The SDK opens up new pathways for developers and administrators, offering seamless integration of PAM360 functionalities within DevOps, CI/CD platforms, or any other microservices/software across organizations. By leveraging the SDK, developers can efficiently embed privileged access management capabilities into their applications, ensuring robust security and seamless functionality within the PAM360 environment.
Key Highlights of PAM360 SDK
For detailed information on configuring and managing PAM360 SDK, please refer to our comprehensive help documentation.
Enhancement
Now, administrators can tailor diverse access permissions during PAM360 user account creation, offering a spectrum of options, including Web Access, REST API Access, and SDK Access for a single user account. This update empowers administrators to finely tune user privileges according to specific organizational requirements, ensuring precise allocation of PAM360 access to the users as desired. Notably, existing REST API-only user creation remains unchanged, with the added benefit of providing SDK access.
Note: Please note that this update does not impact the roles and functionalities of existing user accounts. However, administrators can now leverage these new access levels while modifying the existing user accounts.
Behavioral Changes
Bug Fixes
Security Fix
In build 6610, we encountered a Reflected XSS vulnerability (CVE-2024-27313) at few PAM360 URLs. This issue has now been resolved.
New Feature
PAM360 now supports SCIM 2.0 (System for Cross-domain Identity Management) to exchange user data between SCIM-supported Identity Providers and the PAM360 application. The Identity Provider's SCIM provisioning agent installed within the PAM360 server network helps administrators easily synchronize user and user group details between their existing identity management systems and the PAM360 application using the provided SCIM APIs.
Feature Highlights
Refer to the help documentation for more insights on PAM360's SCIM APIs and the sample configuration of SCIM provisioning in Microsoft Entra ID.
New Integration
PAM360 now integrates with ServiceDesk Plus Cloud for secured and seamless remote access to SDP technicians for privileged resources within PAM360. With this integration, administrators can now grant remote access to authorized personnel without compromising security and with session recordings for traceability. Technicians can now securely access target machines for raised requests directly from the SDP portal, eliminating the hassle of switching between interfaces for remote sessions.
Security Fix
Security Fix
In build 6600, we have identified a vulnerability (CVE-2024-27312) that allowed low-privileged users to perform certain privileged operations by sending crafted URL requests to the PAM360 server. This issue has now been fixed.
Note: Users who have downloaded the PAM360 build 6600 are strongly advised to use the latest 6601 build and SHA256 checksum hash value to ensure security measures and mitigate the risk of unauthorized access.
New Feature
Time-Based One Time Password (TOTP)Introducing TOTP support in PAM360 for accounts utilizing TOTP as the form of Two-Factor Authentication (2FA). This feature allows administrators to utilize the shared TOTP secrets in accounts for further TOTP code generation, particularly for website accounts configured with 2FA. Once configured, users can directly access such privileged accounts from the PAM360 interface, facilitating the generation of TOTP codes for 2FA alongside the shared passwords. This ensures a streamlined end-to-end process for setting up, validating, and authenticating users to utilize shared accounts configured with password and 2FA, enhancing overall security posture and user experience.
Enhancement
Earlier, PAM360 lacked a setting to specify custom connection properties when changing or migrating the backend database from PostgreSQL to MS SQL. From now on, custom connection properties can be added, thus providing users with greater flexibility to connect to their MS SQL server when changing or migrating the backend database.
Upgrade
The PostgreSQL server has been upgraded from version 10.18 to 14.7.
Bug Fixes
Bug Fix
From build 6530 onwards, fetching the Organizational Units from the Active Directory instances failed due to a change in the memory management process. This issue has now been resolved.
New Feature
Endpoint Privilege Management via Application Control in PAM360
PAM360 now enhances its endpoint privilege management capabilities using Application Control, powered by ManageEngine's Application Control Plus. The feature offers robust endpoint privilege management, allowing administrators to regulate application usage on organizational endpoints across PAM360 efficiently. With customizable rules, administrators can create and manage allowlists and blocklists directly from the PAM360 interface, ensuring precise control over application access. Additionally, at break-glass scenarios, administrators can temporarily authorize applications on the blocklist, enhancing security and simplifying application access management for users.
Feature Highlights
Unlock advanced application management capabilities with your existing ManageEngine Application Control Plus license and experience secure and efficient endpoint management within the PAM360 environment with version higher than 11.3.2404.1. If you are new to Application Control, download Application Control Plus now for free management of up to 25 Windows devices.
Refer to the help documentation to know more about the Application Control in detail!
UI/UX Enhancement
We have updated a few UI text elements in the user dashboard to avoid misinterpretation between the total number of users and active users.
Bug Fixes
Enhancements
UI/UX Enhancements
Bug Fixes
Security Fixes
New Feature
Security Hardening Dashboard
Introducing the Security Hardening Dashboard—an innovative feature designed to offer comprehensive insights into the security postures of both the PAM360 application and server, bolstered by a dynamic security score. This centralized dashboard acts to administrators as a powerful tool to swiftly implement the best practices, fortifying the entire PAM360 environment. Encompassing application, server, user status reports, and security hardening scores, this all-in-one toolkit serves as a valuable resource for maximizing the security potential of PAM360.
Refer to the help documentation to know more about the dashboard in detail!
Enhancement
PAM360 now supports the Hebrew language.
Behavioral Change
In previous versions, periodic password export schedules persisted in Resource Groups despite specific scenarios, such as when the option to export passwords to an encrypted HTML file was disabled globally or for specific users, or when password export was disabled for 'Resource Groups' in 'Export/Offline Access'. With the 6520 upgrade, this behavior will be rectified to align with its intended functionality. After the upgrade, if the mentioned export choices are enabled, users must enable the corresponding schedule through the 'User Created Schedules' window to restart the schedule.
Bug Fixes
Security Fixes
Enhancements
Bug Fixes
Security Fixes
New Feature
Smart Login
We have introduced a convenient login method in PAM360: Smart Login via QR code. The feature allows effortless login to PAM360 by scanning the QR code displayed on the PAM360 webpage using the PAM360 mobile application (Settings >> Smart Login). This direct login method streamlines the process with a passwordless authentication, thus significantly reducing login effort.
Note: To use this functionality, users should upgrade PAM360 web and mobile applications to the following versions as applicable.
New Integration
Integrate PAM360 with 800+ Business Applications Now via Zoho Flow!
PAM360 integration with Zoho Flow empowers users to deploy workflow automation across 800+ business applications, majorly focusing on HR and IT Service Management (ITSM). The integration lets swift user onboarding/offboarding of users to/from recruitment/ATS systems to PAM360, thus seamlessly bridging the HR and ITSM functionalities of an organization.
With this integration, a designated PAM360 REST API user can effortlessly craft custom workflows in Zoho Flow, connecting PAM360 to an extensive range of applications within Zoho Flow using its dedicated APIs, which perform pivotal actions such as user creation, group management, account control, and privileged resource sharing in automated workflow triggers.
Read our help documentation to know more about this integration, and real-time scenarios in detail.
Enhancements
Bug Fixes
Security Fix
Enhancements
Bug Fixes
Security Fix
A custom audit filter created by one user could be deleted by other users due to a security vulnerability, which has been fixed in this release.
Enhancements
REST API
Bug Fix
Enhancement
Behavioral Changes
When implementing the LDAP user import enhancement, several behavioral changes occur:
Bug Fixes
New Feature
Application Scaling using External PostgreSQL Cluster
For continuous and uninterrupted workflow with a day-to-day growing user base, increased API workloads, user traffic, etc., we introduce an additional scalability function in PAM360 by which users can use their external PostgreSQL cluster as the backend database.
Feature Highlights
Enhancements
Upgrade
The JRE (Java Runtime Environment) used in PAM360 has been upgraded from version 1.8.0_252 to 1.8.0_372.
Bug Fixes
Security Fixes
Enhancement
Earlier, during bidirectional transfer of files through SFTP in PAM360, connections could be established through local accounts only. Hereafter, users can utilize the domain account or the logged-in account (AD/Azure AD) credentials to establish the connections. This enhancement paves way for flexible and secure file transfers.
New Features
Note: If you are already using an SSL agent for SSH/SSL-related operations, it's required to reinstall the agent for these new integrations to work seamlessly.
Enhancements
Upgrade
The java script framework - jQuery used in PAM360 has now been updated to version 3.6.0.
Behavior Change
Users can now maintain the following certificates at a count of five in the PAM360's centralized SSL repository without affecting the available number of keys in the license:
Bug Fixes
Security Fixes
New Feature
Policy-Based Access Privilege Using Zero Trust Approach
Introducing our Policy-Based Access Privilege feature - an advanced security model designed to minimize the risk of cyber-attacks and data breaches by eliminating the concept of trust. This is achieved by calculating the trust scores of users and resources continuously in a dynamic manner using conditional and predefined parameters with an assist from respective installed agents. This decisive action ensures that only authorized users/devices have access to the critical privileged resources in an organization.
How Does this Feature Work in Real-Time?
This new feature allows administrators to implement policy-based access privileges based on the trust score methodology. It is achieved by installing user/resource agents on relevant devices, defining parameters and weightage values, and creating access policies for the respective user/resource group. Post the access policy configuration, the access policies are associated with the respective resource groups via static resource groups. Further, with the above configuration, access privileges are granted to the users or restricted based on the configured access policy conditions and criteria.
Salient Feature Highlights
Read our help documentation to know more about this feature, configurations, and real-time scenarios in detail.
Bug Fixes
Security Fixes
In this build, issues that allowed the following unauthorized privileged access to the users have been found and fixed:
Similar to the above fixes, we have fixed 16 such issues that led to unauthorized privileged access.
Bug Fixes
New Feature
HTTPS Gateway Server
We have introduced HTTPS Gateway Server, a feature that allows users to launch privileged HTTPS connections to internal and external websites that are not directly accessible from the end-user devices. PAM360 acts as an intermediary proxy and establishes connections with those devices.
The feature works by adding HTTPS-based web links to the resources configured under HTTPS Gateway in Auto Logon Helper. Once configured by the administrators, users can access those websites directly from the PAM360 interface via HTTPS Gateway connection, thus allowing organizations to provide secure privileged access to the internal or external web applications. The relevant details are captured under the Audit section.
See our documentation for more details about this feature and its configuration.
Enhancement
Security Notification
The PAM360 web console will display an in-product notification after each security release reminding the administrators to upgrade the product.
New Feature
Support for New Two-Factor Authenticators
We have introduced the following authentication services in PAM360:
Enhancements
MSP Edition
REST API
Behavior Changes
Upgrade
This version of PAM360 comes with the upgraded third-party framework used for HTML5-based RDP and SSH gateway features.
Bug Fixes
Security Fix
Prior to this version, the PAM360 agent communicated with the PAM360 server without determining the validity of its SSL certificate in the following aspects, thus increasing the risk of external exploitation:
From now on, the PAM360 agent will check if a valid SSL certificate is installed on the PAM360 server before initiating communication, thereby boosting security.
Bug Fixes
New Feature
Self-Service Privilege Elevation for Linux
We are glad to introduce Self-Service Privilege Elevation (agent-based) for the Linux resources in PAM360. This feature allows administrators to configure privileged commands, thus allowing non-privileged users to execute them with an elevated privilege. The privileged commands can be associated with specific accounts and resources as configured by the administrator.
Feature Highlights:
Key Benefits:
Please go ahead and read our help documentation to know more about Self-Service Privilege Elevation capabilities in Linux.
Bug Fix
In build 5900, users could not launch remote connections to endpoints using the AD and Azure AD account credentials. This issue has now been fixed.
Security Fix
In build 5900, a stored XSS issue occurred via the commands added in command groups while accessing query reports. This issue has been fixed in this build.
New Feature
SSH Command Control (Filtering)
We are delighted to announce SSH Command Control (Filtering) in the SSH-privileged remote sessions of PAM360. This feature allows administrators to configure authorized command sets for the end users to use in their SSH-privileged remote sessions. The command sets can be associated with specific accounts, resources, and resource groups that get delegated to end users.
Feature Highlights:
Key Benefits:
Excited to know more about configuring and using this feature? Please go ahead and read our help documentation.
Bug Fixes
Enhancement
PAM360 now supports OAuth 2.0 authentication for SMTP-based email communications using Microsoft Exchange Online to provide a secure channel for the outbound emails from PAM360. Users can configure Microsoft Exchange Online as the mail server through which PAM360 sends email notifications. During the setup, PAM360 verifies the connection with Microsoft Exchange Online using the Tenant ID, Client ID, and Client Secret value taken from the Microsoft Azure portal. This mechanism eliminates the need for users to provide account credentials to authenticate the notification emails. Users can choose Microsoft Exchange Online under 'Admin >> Settings >> Mail Server Settings' to activate OAuth 2.0 authentication for all emails sent from PAM360.
Security Fix
A SQL injection vulnerability (CVE-2022-47523) in our internal framework, which would have allowed all PAM360 users to access the backend database, has been addressed and fixed.
New Features
Enhancements
Upgrade
The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and bolster overall security.
Bug Fixes
A third-party library has been upgraded in PAM360.
Some bug fixes and enhancements have been done.
Upgrade
The Apache Commons Text jar has been upgraded from version 1.8 to 1.10.0.
Security Fixes
Bug Fix
Earlier, the Search function failed to work when multiple text filters were added. This issue has been fixed.
Behavior Change
PAM360 will no longer support both the 32 and 64-bit versions of the C++ agent for Windows and Windows Domain systems and the C Agent for Linux. The C and C++ agents will still be functional in the older versions of PAM360 past this date. But, we highly recommend using the C# agent for Windows and Windows Domain machines and the Go agent for Linux machines, as they come with additional features, such as password reset listeners, dynamic account filtering, and self-service privilege elevation in Windows. Refer to the forum post to learn more about the end of support announcement.
Enhancements
Bug Fixes
New Feature
Intending to provide uninterrupted access to passwords, we have introduced another functionality - the Read-Only (RO) server for the PostgreSQL database. Unlike the concept of High Availability, where there will be one Primary server and one Secondary server, the Read-Only server can be configured in multiple. The Read-Only servers function as mirror servers, synchronizing all of the Primary server's operations. In the event of the Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server. Read-Only Servers can be configured from 'Admin >> Configurations >> Read-Only Server.'
New Feature
PAM360 Remote Connect - a Native Desktop Client for Remote Access
Introducing PAM360 Remote Connect—an independent desktop client for Windows, designed to facilitate direct remote access to Windows and SSH-based target resources without the need for multiple remote clients or web browsers. PAM360 Remote Connect harnesses the ability of Windows' native Remote Desktop client and the SSH Putty client to launch RDP and SSH-based connections from a centralized console. The lightweight desktop client directly leverages the PAM360 web application's privilege access governance to regulate remote access to the critical assets in your environment. It offers enhanced ease of use and a superior user experience with its faster and smoother RDP and SSH-based remote connections. Besides, it has auditing capabilities—the session audit trails are recorded in PAM360's web application. PAM360 Remote Connect is compatible with PAM360 build 5600 and above. To learn more and to download PAM360 Remote Connect, click here.
Bug Fixes
From build 5500 onwards, administrators were unable to delete a user profile if the user had created any type of resource discovery task. Also, if the user owned a discovery schedule, administrators were unable to transfer the schedule ownership to another user from 'Discovery >> Schedule.'
Security Fix
We identified several SQL injection vulnerabilities in the Search and Resource Group export operations that were caused by improper user input validation. These issues have been fixed.
Enhancement
Integration with Entrust nShield Hardware Security Module (HSM)
PAM360 now offers a new data encryption method—Entrust nShield HSM. Through this integration, users can switch from PAM360's native encryption method to Entrust nShield's hardware-based data encryption for the privileged identities and the personal passwords stored in PAM360. Users can secure their data encryption key within the HSM to safeguard it locally in their environment.
Bug Fixes
Enhancements
New Feature
Folders
We have introduced a new feature - Folders in PAM360, which allows the users to organize the resource accounts stored in PAM360 under various custom folders. The 'Folders' option is available for the Resources and Connections tabs. Administrators can enable or disable the Folders' option from 'Admin >> Settings >> General Settings >> Miscellaneous'. This system of organizing the accounts based on personal preferences will allow users to manage them effortlessly.
Bug Fix
In Linux, when users tried to discover accounts using a root user account when direct login access is disabled, the account discovery failed. This issue has been fixed.
New Feature
Integrating with a new Ticketing System: BMC Helix Remedyforce
PAM360 now integrates with the BMC Helix Remedyforce. This integration ensures automatic validation of service requests related to privileged access. Through this integration, administrators can mandate users to provide valid ticket IDs to gain authorized access to privileged passwords. The integration helps in granting approvals to access requests through automatic validation of the corresponding service requests in the ticketing system.
Enhancement
Two new fields - PAM360 User Full Name and PAM360 User Email Id have been added to the 'Column Name' drop-down under 'Ticketing System >> Advanced configurations'. This will allow administrators to configure the ticketing system to validate tickets based on User Full Name and Email Id.
Behavior Change
Bug Fix
From build 5500, elevation of applications using Self-Service Privilege Elevation failed due to an invalid response from the PAM360 server. The issue has been fixed.
Enhancements
The Connection tab comes with the following improvements:
Security Fixes
New Feature
PAM360 now supports creating schedules for automatically discovering new privileged accounts during Linux, Network Devices, and VMware discovery.
Enhancements
New Query Reports:
Bug Fix
From build 5400, administrators were unable to import users through AD. The issue has been fixed.
Security Fix
An authentication bypass vulnerability (CVE-2022-29081) affecting ManageEngine PAM360 builds from 4001 to 5400, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:
Enhancements
Upgrades
Bug Fixes
Behavior Change
The API handling code which earlier responded to the V1 API format of ServiceDesk Plus MSP will henceforth respond to their V3 API format.
New Feature
Integration with the Cortex XSOAR RPA Tool
ManageEngine PAM360 integrates with Cortex XSOAR, a Robotic Process Automation (RPA) tool that allows users to build standardized responses through commands to facilitate the automation of software processes. PAM360 provides various commands that cover a wide range of automation tasks to perform operations, such as creating resources and accounts, fetching passwords, updating resource and account details, wherein the commands can be combined to create a complete endpoint management workflow.
Enhancements
Behavior Change
Before the upgrade, if the 'Autofill' option was enabled in the user's browser, there is a chance for the browser data to get auto-populated in the 'VNC Passwords' field. Now, with the 5305 upgrade, all the VNC resource passwords will be added to an account called '_VNCACCOUNT_' under their respective resources.
Feature
Self-Service Privilege Elevation
Using the Self-Service Privilege Elevation feature, an administrator can allow a user to run a specific application(s) with elevated privileges without sharing the privileged account passwords. With this feature, it is possible to perform administrative functions on an endpoint without the need for the administrators to share the account passwords. The passwordless strategy used to run applications with elevated account privileges assures that only the intended administrative tasks are performed by a user without entering administrator credentials.
Enhancements
Security Fix
A SQL injection vulnerability that allowed users to access the restricted tables in 'Query Reports' has been fixed.
Security Fix
An authentication bypass vulnerability (CVE-2021-44525) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.
Enhancement
Administrators can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.
Enhancement
New Agents
This release comes with two new agents - C# agent for Windows/ Windows Domain and Go agent for Linux. Henceforth, it will be possible to restrict user accounts that are added via agents (the new agents only) during account discovery, using regex patterns.
Bug Fixes
New Features
Enhancements
Behavior Change
From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab. However, the existing users can manage their already added certificates from the History section, which has now been moved under the 'Column Chooser'.
Bug Fixes
Security Fixes
Enhancements
Behavior Changes
Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you save a backup of the advanced configurations in the form of screenshots for reference.
Bug Fixes
Security Fixes
Enhancements
Bug Fixes
Security Fix
Enhancement
Security Fixes
Security Fix
New Features
Bug Fixes
New Features
Enhancements
Bug Fixes
Security Fixes
Security Fix
New Features
Enhancements
Bug Fixes
Security Fixes
Enhancement
New Features
Enhancement
Bug Fixes
Security Enhancement
Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally authenticated users. Now, as a security practice, we have exerted the following measures, applicable for installations under the 'Program Files' directory:
New Features
Enhancements
Bug Fix
In PAM360 build 4000, while trying to integrate with ServiceDesk Plus, the "Invalid API key" error was encountered. This issue has been fixed in this build.