Security Advisory

July 7, 2022

An authenticated local file disclosure vulnerability that allows users to download local files has been fixed in AssetExplorer version 6977. Please refer to this security advisory to learn more and upgrade to the latest version.

March 22, 2022

[CVE-2022-25245] A vulnerability that allowed non-login users to extract vendor currency details has been fixed in version 6971. Please visit this link for more information.

December 04, 2021

This security advisory addresses two authentication bypass vulnerabilities that affect AssetExplorer versions up to 6952 (CVE-2021-44526) and AssetExplorer customers who use the Endpoint Central agent for asset discovery (CVE-2021-44515).

Important note : If you are a customer of AssetExplorer who uses the Endpoint Central agent for asset discovery, follow the steps outlined in the advisories for both CVE-2021-44526 and CVE-2021-44515.

If you are a customer of AssetExplorer who does not use the Endpoint Central agent, please only follow the steps outlined in the advisory for CVE-2021-44526, explained in this email.

CVE-2021-44515 affects customers of AssetExplorer who use the Endpoint Central agent for asset discovery, and can lead to a remote code execution attack. We strongly urge customers who use the Endpoint Central agent to refer to this security advisory for more information and the steps to upgrade Endpoint Central to the latest version.

CVE-2021-44526 affects customers using all editions of AssetExplorer versions 6952 and below, irrespective of whether they use the Endpoint Central agent, and we strongly urge all customers to upgrade to the latest version of AssetExplorer immediately.

The rest of the advisory will be focused on CVE-2021-44526, an authentication bypass vulnerability in AssetExplorer versions up to 6952.

Severity : High

Impact:

This vulnerability can allow an adversary to bypass authentication and access the Asset Name and the Asset Field's Allowed Values configurations.

What led to the vulnerability?

One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.

Who is affected?

This vulnerability affects AssetExplorer customers of all editions using versions 6952 and below.

How have we fixed it?

We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client, and select About from the drop-down to see your current version. If your current version is 6952 and below, you might be affected.

Please follow this forum post any further updates regarding this vulnerability.

What customers should do

Download the upgrade pack from https://www.manageengine.com/products/asset-explorer/service-packs.html and immediately upgrade to the latest version (6953).

Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Alternatively, customers can also upgrade to the appropriate versions based on their current version; details are listed here

Customers of AssetExplorer who are using the Endpoint Central agent for asset discovery can refer to this security advisory for information on upgrading Endpoint Central.

Important note: As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

October 07, 2021

This is a security advisory regarding an insufficient authentication and authorization handling vulnerability (CVE-2021-37414) in ManageEngine Endpoint Central, reported by an external security researcher via our bug bounty program.

Who is affected?:

This vulnerability affects customers of ServiceDesk Plus MSP (Professional and Enterprise editions) who have installed Endpoint Central to leverage the unified agent for asset inventory.

Affected build numbers of Endpoint Central:

Endpoint Central installations with the following build numbers are affected:

10.1.2121.03

10.1.2121.02

10.1.2121.04

10.1.2127.01

Severity: High

What was the problem?

An endpoint was found with insufficient access control in the Endpoint Central server, which when exploited could lead to an unauthorized user gaining access to the Endpoint Central instance.

How have we fixed the vulnerability?

The vulnerability has been identified and fixed in the latest build of Endpoint Central. To apply the fix, follow the steps below:

  • Log in to your Endpoint Central console and click your current build number in the top-right corner.
  • Find the latest build applicable to you. Download the PPM and update Endpoint Central.

Note: This vulnerability is not applicable to the cloud editions of Endpoint Central, Patch Manager Plus, and Remote Access Plus.

For further details, please contact support at support@servicedeskplusmsp.com.

Important note: As always, make a copy of the entire Endpoint Central installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the Endpoint Central database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

July 23, 2021

This is a security advisory regarding a possible authentication bypass vulnerability in a few REST API URLs in AssetExplorer, which has been identified and rectified. Users of AssetExplorer (all editions) with version 6600 and above might be affected by this vulnerability and are advised to update to the latest version (6902) immediately.

Severity: Critical

Impact:

This vulnerability allows an attacker to gain unauthorized access to the application's data through its API support. This would allow the attacker to gain unauthorized access to user data or aid subsequent attacks.

To do so, an attacker has to manipulate any vulnerable API URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker.

What led to the vulnerability?

The security framework layer used in AssetExplorer had an improper URL validation process that led to the vulnerability.

Who is affected?

This vulnerability affects AssetExplorer customers of all editions using versions 6600 and above.

How have we fixed it?

The vulnerability has been addressed by fixing the improper URL validation process in the security framework layer in the latest version of AssetExplorer.

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client. Select the About option from the drop-down to see your current version. If your current version is 6600 or above, you might be affected.

What customers should do

Customers who fit the above criteria can upgrade to the latest version (6902) using the appropriate migration path here.

Alternatively, customers can also upgrade to the appropriate versions based on their current version; details are listed here.

Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Important note:

As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

July 8, 2021

This is a security advisory regarding possible Integer/Heap Overflow - Remote Code Execution (RCE) and Remote Denial of Service vulnerabilities in AssetExplorer, which have been identified and rectified. Users of AssetExplorer with versions up to 6804 might be affected by the vulnerabilities and are advised to update to the latest version (6900) immediately.

Severity: High

Impact:

The Integer/Heap Overflow - RCE vulnerability allows an attacker to send a new scan request to a listening agent on the network and also receive the agent's HTTP request verifying its authtoken. The agent reaching out over HTTP makes it vulnerable to an integer overflow, which can be turned into a heap overflow if the POST payload response is too large. This allows for RCE as NT AUTHORITY/SYSTEM on the agent machine.

The Remote Denial of Service vulnerability might be exploited to repetitively send commands to the AssetExplorer agent, which listens on port 9000 for incoming commands over HTTPS from the ManageEngine server. While these commands may not be executed, the AssetExplorer agent reaches out to the ManageEngine server for an HTTP request, which results in a memory leak. These memory leaks allow a remote attacker to send commands to the agent repetitively and eventually crash the agent due to an out-of-memory condition.

What led to the vulnerabilities?

The Integer/Heap Overflow - RCE vulnerability was caused by the AssetExplorer agent not validating HTTPS certificates, which allows an attacker on the network to statically configure their IP address to match the AssetExplorer server's IP address.

The Remote Denial of Service vulnerability was caused by HTTPS certificates not being verified, which allows any arbitrary user on the network to send commands over port 9000.

Who is affected?

These vulnerabilities affect customers of AssetExplorer using versions up to 6804 and using the product’s asset scanning agents.

How have we fixed them?

Both vulnerabilities have been addressed in AssetExplorer 6900 by adopting the unified agent from Endpoint Central for asset discovery. The existing asset scanning agents have been replaced with these unified agents for scanning Windows, Linux, and macOS devices.

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client. Select the About option from the drop-down to see your current version. If your current version is 6804 or below, you might be affected.

What customers should do

Download the upgrade pack here and immediately upgrade to version 6900. Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Important note:

As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

December 22, 2020

This is a security advisory regarding a possible authentication bypass vulnerability in AssetExplorer, which has been identified and rectified. Users of AssetExplorer version 6503 to 6723 who have enabled SAML authentication are affected by this vulnerability and advised to update to the latest version (6724) immediately.

Severity: High

Impact:

This vulnerability might be exploited to log in to an AssetExplorer installation with administrative privileges to access information or change the tool configurations, both of which can be used to provide unauthorized access to user data or aid subsequent attacks. To do so, an attacker would need to carry out two steps. First, they would need to enter the credentials of any user’s account. Then they would need to alter the parameter 'username' to another username with administrative privileges after SAML validation. This would require the attacker to know three pieces of information: the credentials of any user account, the username of an administrator account, and the domain details.

What led to the vulnerability

The security check process used by AssetExplorer to authenticate the username and the user domain post SAML validation had a vulnerability that made it possible to change the parameter 'username' post SAML validation.

This vulnerability could be exploited to log in to an AssetExplorer installation as an administrator.

Who is affected?

This vulnerability affects customers of any edition of AssetExplorer between version 6503 and 6723 who have SAML authentication enabled.

How have we fixed it?

This particular vulnerability has been addressed in AssetExplorer 6724 by fixing the security check mechanism such that authentication occurs with the username and domain details stored securely rather than from direct incoming parameters that can be tampered with easily.

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client. Select the About option from the drop-down to see your current version. If your current version is between 6503 to 6723 and you are using SAML authentication, you might be affected.

What customers should do

Download the upgrade pack from https://www.manageengine.com/products/asset-explorer/service-packs.html and immediately upgrade to version 6724 or above. Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Important note:

As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

March 11, 2020

Directory traversal vulnerability in AssetExplorer 6700 and 6701

This is a security advisory regarding a directory traversal vulnerability (also known as file path traversal) in AssetExplorer, which has been identified and rectified. Users of AssetExplorer versions 6700 and 6701 are affected by this vulnerability and advised to update to version 6702 or above immediately.

Severity : High

Impact:

An unauthenticated attacker might be able to access arbitrary files on the server running AssetExplorer, outside the web server's document directory, using a specially crafted URL. This vulnerability might be exploited to access sensitive information to aid in subsequent attacks.

What led to the vulnerability

AssetExplorer allows technicians to initiate remote sessions on Windows workstations using the Web Remote capability. This feature is enabled through a third-party tool, RemoteSpark, which is bundled with AssetExplorer. 

The use of RemoteSpark's Spark View Version 5.8 (Build 903-928) in AssetExplorer versions 6700 and 6701 led to this vulnerability.

Who is affected?

Customers of AssetExplorer using versions 6700 and 6701 across all editions are affected by this vulnerability.

How have we fixed it?

This particular vulnerability has been addressed in AssetExplorer 6702 by migrating to RemoteSpark Spark View Version 5.2 (Build 942). RemoteSpark has confirmed with ManageEngine that the issue has been fixed in this version.

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client. Select the About option from the drop-down to see your current version. If your current version is 6700 or 6701, you might be affected.

What customers should do

Download the upgrade pack from https://www.manageengine.com/products/asset-explorer/service-packs.html and immediately upgrade to version 6702 or above. Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Important note:

As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

For Easy & Effective Asset Management trusted by