CVE-2022-23863: A Privilege Escalation Vulnerability

This document addresses a privilege escalation vulnerability identified in ManageEngine Endpoint Central.

CVE ID: CVE-2022-23863
Update Released Build: 10.1.2137.10
Update Released Date: January 25, 2022


What was the problem?

A privilege escalation vulnerability in Endpoint Central (CVE-2022-23863) was identified which may allow an authenticated web user to change passwords of a more privileged web account. This has now been fixed and released on January 25, 2022 and the mitigation is available in build 10.1.2137.10.

How do I fix it?
 

If you are on build 10.1.2137.9:

If you just upgraded to 10.1.2137.9 that was released on January 17, 2022, we have exclusively released a quick fix for you. Quick fixes are QPM upgrades instead of PPM upgrades, which are faster and easier to apply. The purpose of this quick fix is to cut your transition load of back-to-back PPM upgrades. If you do not wish to apply the quick fix, you can upgrade to the latest version using PPM, as normally done. QPM upgrade or PPM upgrade, either way you will reach the latest version of Endpoint Central. For more clarity on the quick fix, read this document.

Please download the quick fix here.


For other builds:

Please upgrade to the latest build 10.1.2137.10 as normally done. You can visit our service packs page and download the latest build. Alternatively, you can also follow the below steps:

  1. Login to your Endpoint Central console, click on your current build number on the top right corner.
  2. You'll be able to find the latest build applicable to you. Download the PPM and update.


FAQs

1. Is QPM temporary fix and should I install the PPM later?

Answer: No, QPM alone will suffice for this fix. It is a quick and effective replacement of PPM upgrade. Since QPM is smaller and quicker to apply, it'll help you avoid difficulties that come with back-to-back PPM upgrades.

2. Will the QPM change the product version to the latest?

Answer: Yes, applying the quick fix (QPM upgrade) will change your build version to 10.1.2137.10 which is the latest. After applying the quick fix (QPM upgrade), you will move to the latest version of Endpoint Central.

3. Will it affect upcoming service pack upgrades?

Answer: No

4. My build version is older than 10.1.2137.9, can I use this quick fix?

Answer: No, this quick fix is exclusively generated for 10.1.2137.9. If you are not in this build, it will not work for you. As per normal, you need to upgrade to the latest build 10.1.2137.10 using PPM.

5. How to verify if the quick fix is applied?

Answer: In Endpoint Central console, navigate to Support -> Upgrade Details. If the fix is successfully applied, you will see the quick fix displayed under the 'Upgrade Details' tab. If the fix installation has failed, a failure alert will be displayed there.

Note: This vulnerability is not applicable for Endpoint Central Cloud.

Help

For any further queries on this, please reach out to Endpoint Central support at desktopcentral-support@manageengine.com.