Adding CyberArk WebDriver Updater tool backwards compatibility

September 2, 2023

Annoyed at manual patching of Chrome or Edge? Every month more vulnerabilities show up on scans. Not upgrading to v13.2 any time soon?

Let face it, playing whack-a-mole with vulnerability scans is painful for you, AND a risk to your organization if you don’t keep software patched.

This is a walkthrough on configuring, and deploying the CyberArk WebDriverUpdater tool and custom script to enable you to patch chrome and edge and keeping the webdrivers up to date until you can migrate to CyberArk PAS on-prem to v13.2.

The WebDriverUpdater tool will auto-download the chrome or edge driver from the URL’s noted above if they don’t exist. The custom script will check for an updated driver every 30 minutes, and if there’s a new driver file created within the last 30 minutes, it will re-run applocker hardening. If no new driver files were created in the last 30 minutes, it will skip running applocker hardening.

Prerequisites —

WebDriverUpdater tool from CyberArk Marketplace — https://cyberark-customers.force.com/mplace/s/#a35Ht000000rjXlIAI-a39Ht000001kceVIAQ
PSM v12.x or below
PS script from GitHub — https://github.com/aglerj/CyberArk-WebDriverUpdater-BackwardsCompatibility/blob/main/CustomWebDriverUpdater.ps1
URLs are not blocked on PSM servers. https://chromedriver.storage.googleapis.com https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/ https://msedgewebdriverstorage.blob.core.windows.net/edgewebdriver/
Chrome and/or Edge installed on PSM servers; whichever you utilize.

How to steps —

Stage the WebDriverUpdater tool and PS script onto the PSM server under c:\staging\ or similar folder name you want
Right click on the WebDriverUpdater tool zip file, click properties. Click Unblock on the bottom right if needed.
Extract the zip file.
Copy the “WebDriverUpdater-v1.0.0.6” folder into the CyberArk PSM>Components> path.

WebDriverUpdater-v1.0.0.6 folder under CyberArk\PSM\Components path

Update the WebDriverUpdater.exe.config file to include the PSM path. For example, C:\Program Files (x86)\CyberArk\PSM\Components . Do not include the path to the ApplockerRuleScript. We’ll be using the custom PS script.

WebDriverUpdater.exe.config updated to have PSM path; don’t include applocker path entry.

Copy the PS CustomWebDriverUpdater.ps1 script to the CyberArk PSM>Hardening> path.

Create a scheduled task per the WebDriverUpdater tool documentation. Call it “Update WebDrivers” or similar.

Run it under System. Adjust as needed depending on your web proxy configurations.

Create a new trigger, begin the task on a schedule; daily starting at a future date/time, repeat the task every 30 minutes for a duration of indefinitely.
Create a new action, Start a program — “C:\Program Files (x86)\CyberArk\PSM\Components\WebDriverUpdater-v1.0.0.6\WebDriverUpdater.exe”.
Create another action, Start a program — Program/Script: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Add arguments: -noprofile -executionpolicy bypass -file “C:\Program Files (x86)\CyberArk\PSM\Hardening\CustomWebDriverUpdater.ps1”
Start in: C:\Program Files (x86)\CyberArk\PSM\Hardening
Backup the chromedriver.exe within C:\Program Files (x86)\CyberArk\PSM\Components\. Rename it to chromedriver.bak
Run the “Update WebDrivers” scheduled task on demand.
Wait until it’s finished running.
Check the logs under C:\Program Files (x86)\CyberArk\PSM\Hardening\WebDriverUpdaterTool” + $currentDateTime.ToString(“MMddyyyy_HHmm”) + “_driver_check.log ; and C:\Program Files (x86)\CyberArk\PSM\Components\WebDriverUpdater-v1.0.0.6\Logs .
Make sure the WebDriver Update tool downloaded chromedriver.exe and placed it under the C:\Program Files (x86)\CyberArk\PSM\Components\ folder.
Validate that AppLocker allowed the newly created chromedriver.exe hash file for use.
Validate that your PSM Web app connection components still function as expected