Access control mechanism improvements in NextGen Antivirus

This document highlights security updates for the Next-Gen Antivirus within Endpoint Central. Couple of vulnerabilities were reported to us and we have addressed these issues to ensure the continued security of our product.

Release Notes

Severity: High
Update Release Date: 2nd April 2024
Reported by: Jayateertha Guruprasad via ManageEngine Bug bounty program.

What were the problems?

• Due to improper scope-based access control implementation, below vulnerabilities were reported in the Next-Gen Antivirus module,
  1. Basic computer information might have been exposed to users beyond their scope.
  2. Technicians with limited access were able to isolate/desolate devices outside of their designated scope.

How were the problems resolved?

Respective scope-based access control improvements were done.

Fix Build:

For Enterprise-
11.3.2406.05 and below, upgrade to 11.3.2406.08
11.3.2400.12 and below, upgrade to 11.3.2400.15

How to fix it?

This has been identified and fixed in Endpoint Central builds released on 2nd April 2024.

To apply this fix, follow these steps below:

1. Login to the product console.
2. Click on your current build number (top right corner).
3. Download and install the latest applicable update (PPM).

Note: This vulnerability is applicable for both On-Premises and Cloud versions.

Contact Support

If you have any questions or require further assistance, please don't hesitate to contact our support team.