Free EditionRecently, a concern was raised by a third party, referred as CVE-2023-35719, regarding a suspected vulnerability in our ManageEngine ADSelfService Plus on-premises product. After a thorough investigation, we have determined that the reported issue is not a vulnerability within our software but rather a consequence of insecure configurations and improper deployment practices. In this post, we would like to address this concern, clarify our position, and reiterate the steps our customers are required to take to ensure security of their installations.
The reported concern revolves around the usage of our product in HTTP mode without configuring Transport Layer Security (TLS) appropriately. It is crucial to note that ADSelfService Plus product allows customers to explore the functionalities during the proof-of-concept (PoC) stage without requiring a valid TLS certificate. However, it is essential to understand that this mode should only be used for initial exploration and not in a production environment.
Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over the internet. By configuring our product in HTTPS mode, which involves obtaining and installing a valid TLS certificate, the traffic between clients and the server becomes encrypted and protected against potential security threats. It ensures the confidentiality and integrity of data transmitted between the parties involved.
To ensure the security of our on-premise server product, we have issued comprehensive deployment guidelines to our customers. These guidelines explicitly highlight the importance of configuring our product in HTTPS mode for secure deployments. Please refer:
We understand that some customers may require additional flexibility during the proof-of-concept stage and we have provided an option to disable TLS certificate validation, which is enabled by default (secure-by-default). This option was introduced based on customer feedback, allowing them to troubleshoot TLS issues or explore agent-side functionalities during the PoC stage without facing TLS exceptions. It is crucial to note that this option should only be disabled temporarily and never in the production stage to maintain the security.
With respect to our ADSelfService Plus Login Agent, it is equally important to properly deploy and configure the agent software, which is installed on client computers and communicates with the server. If the server is configured in non-HTTPS mode (without TLS) during proof-of-concept (PoC) stage, the agent will communicate using the HTTP protocol. However, when moving to the production stage, customers are required to configure TLS on the server and reconfigure the agent to operate in HTTPS (TLS) mode by reinstalling it. This ensures secure communication between agents and servers, maintaining the confidentiality and integrity of the transmitted data.
To streamline the Login Agent deployment process and ensure the adherence to secure configurations, we offer a Login Agent scheduler functionality. This feature allows customers to install the agent on all user machines within their domain automatically and updates any configuration changes (like HTTP to HTTPS). Please refer to our documentation for the Login Agent scheduler.
Using outdated software, like Login Agent version 4.2.9 which is almost a decade old used by the third party, poses significant risks. Staying up to date with the latest software versions ensures security and overall performance.
To mitigate the risks associated with misconfigurations, ManageEngine emphasize the following secure deployment guidelines:
We want to clarify that the reported suspected vulnerability is, in fact, a series of misconfigurations rather than an inherent software vulnerability. By following our secure deployment guidelines, customers can ensure that ADSelfService Plus operates in a secure manner. We remain committed to providing ongoing support, education, and resources to assist our customers in implementing best practices for secure deployment.
If you have any questions, concerns, or require assistance with the deployment or configuration of our product, please reach out to our dedicated customer support team at support@adselfserviceplus.com .
Need further assistance? Fill this form, and we'll contact you rightaway.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.
