Trust and Security Portal

Start your security review
Search items
ControlK

Palantir is a software company that builds the world's leading software for data-driven operations and decision-making. For more than a decade, we’ve worked with customers in the most secure and highly-regulated industries and built software for their most sensitive data. Today, security remains the cornerstone of our product development, company culture, and internal operations.

Palantir cares deeply about the security outcomes of our customers, and we’re committed to transparency about our security practices and program. We stand resolute in continuously improving our security, data protection, and privacy controls to give you the most effective means of protecting your data possible.

Network Diagram

Trust and Security Portal Updates

Palantir response to Crowdstrike Incident

GeneralCopy link

Palantir is not affected

Palantir is not affected by any ongoing availability or stability incidents related to Microsoft Windows and Crowdstrike Endpoint Detection and Response Tooling.

Published at N/A

Palantir response to Snowflake Incident

GeneralCopy link

Palantir is not affected

Palantir is not affected by any ongoing security incidents related to Snowflake, Databricks, or other data warehousing providers.

Published at N/A

PLTRSEC-2024-40

VulnerabilitiesCopy link

Security Bulletin

Bulletin ID: PLTRSEC-2024-40

CVE: N/A

Affected Products / Versions: N/A

Publication Date: March 13, 2024

Summary

On March 12, 2024, Palantir identified a defect in s3-proxy that caused the service to not respect customizations to Foundry’s default role based access control configurations to disallow users with the Compass Viewer role to perform download operations using specific services.

If the download operation had been removed from the Viewer role, a user with that role could bypass the restriction by generating temporary credentials with the AssumeRoleWithWebIdentity Standard Token Service (STS) API (https://<FOUNDRY_URL>/io/s3?Action=AssumeRoleWithWebIdentity&WebIdentityToken=<TOKEN>) and using them to perform downloads against datasets which they only have Viewer permissions on.

Background

S3-proxy is a translation service that enables third-party services to use S3 API syntax to integrate with Foundry. The S3 Proxy implements a subset of the S3 API such that you can interact with Foundry datasets using clients that know how to speak to S3, such as AWS CLI, AWS SDKs, Hadoop S3 file system, etc. This makes it possible to integrate tools and connectors that can communicate with S3, especially where a native Foundry connector does not exist.

Details

S3-proxy provided two operations to gate user activity: api:datasets-read and api:datasets-write. The api:datasets-read operation was granted with the Viewer role and, by default, enabled the ability to download datasets the user had Viewer permissions on. No operation was provided to separate the permission to download the dataset from the ability to view the dataset within the service.

Remediation

If download permissions have been removed from the Viewer role and added to a custom role, you will need to add the following permission to that custom role to restore download permissions: s3-proxy:datasets-read.

To audit for instances of abuse of this issue:

Open your audit log dataset. Filter rows such that name=ASSUME_ROLE_WITH_WEB_IDENTITY and enumerate the token IDs in the tokenGeneration.generatedTokens[].id.other.value field. Filter rows such that token_id contains one of the identified tokens. The event GET_BATCH_DATASET_VIEW_FILE_2 would indicate that a dataset was downloaded; note that this is not necessarily the only operation that could download a dataset. Review all other event names for evidence of dataset access.

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.

Published at N/A*

Palantir Security Bulletin - PLTRSEC-2024-37

VulnerabilitiesCopy link

Security Bulletin

Bulletin ID: PLTRSEC-2024-37

CVE: CVE-2023-30971

Affected Products / Versions: N/A

Publication Date: March 12, 2024

Summary

Multiple endpoints in Gaia(Gotham) were found to be unauthenticated due to a Framework migration misconfiguration. A malicious user with knowledge of specific resource IDs could have interacted with the endpoints to read data without authentication checks. The resource identifiers are generated in a random way which makes bruteforcing and/or guessing them unlikely. All the endpoints that were impacted were thoroughly audited and we found no evidence of abuse.

Background

Gaia is a collaborative map application with easy-to-use drawing tools, support for real-time data integrations, and functionality for performing advanced geospatial analysis.

Details

On January 16th, 2024, it was discovered that the Gotham Gaia application had multiple endpoints that were lacking authentication. Exploitation by an attacker was not possible due to the endpoints requiring query parameters in form of resource ids that are generated in a random and secure way.

Additionally, all the endpoints and services were audited by Palantir and there was no evidence of abuse

Remediation

All the impacted endpoints were fixed by requiring strict authentication/authorization checks on Gaia.

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.

Published at N/A

Palantir Security Bulletin - PLTRSEC-2024-35

VulnerabilitiesCopy link

Security Bulletin

Bulletin ID: PLTRSEC-2024-35

CVE: N/A

Affected Products / Versions: N/A

Publication Date: February 22, 2024

Summary

The magritte-smb source will fall back to unencrypted sessions if the server does not require SMB encryption in-transit.

Background

The Server Message Block (SMB) protocol was originally designed for sharing files, printers, serial ports, and other hardware resources, between a server and multiple client systems on a LAN. The protocol itself has seen two major revisions, and prior to the latest release (version 3.x), encryption of data in-transit was still an optional feature. SMB 3.0 upgraded the message encryption and signing of the protocol, as well as considering encryption of data in-transit mandatory.

Protocols like SMB 3.0 and HTTPS introduce mandatory encryption as a way to reduce data exposure in transit, often as a result of protocol downgrade attacks. A Windows administrator could easily miss the fact that while common SMB 2.x servers support encrypted clients, they may leave sensitive data exposed on the wire if the client is misconfigured, or if a man-in-the-middle can intercept connections to perform a downgrade attack.

Details

The magritte-smb source prior to version 0.42.0 did not configure its SMB client to require encryption. As a result, if magritte-smb connected to a legacy SMB 2.x server (such as those with Windows Vista and Windows Server 2008), it is possible the connection could have transmitted data in cleartext.

Remediation

Magritte agents that pull data from SMB servers have been upgraded to magritte-smb source version 0.42.0 (or newer).

All forward-deployed Palantir resources have been notified to identify and address any SMB connections which do not require encryption where they have the ability to do so. Additionally, Palantir has forced all cloud-hosted (e.g., Palantir Cloud) data connections to require encryption, where such configuration is technically possible.

Palantir strongly recommends that customers run the most recent versions of relevant SMB software, as older versions have known vulnerabilities and are attractive targets for attackers.

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo