How to identify and mitigate the unauthenticated product integration vulnerability

Some versions of Exchange Reporter Plus have the unauthenticated change to integration system vulnerability. This article explains how you can identify if your Exchange Reporter Plus installation is affected, and fix it. It also offers the mitigation steps to protect your installation in case it is not affected.

What is the issue?

Exchange Reporter Plus had a vulnerable endpoint which allowed a user to integrate Exchange Reporter Plus with any other supported ManageEngine product, bypassing authentication. This could lead to data leak.

Which version of Exchange Reporter Plus is affected?

All Exchange Reporter Plus builds below 5510 are affected.

What is the severity level of the vulnerability?

This is a critical issue. As this vulnerability could be exploited without authentication, from any publicly exposed Exchange Reporter Plus installation, the risks posed could be critical.

How do I check if my installation has been compromised?

• Log in to Exchange Reporter Plus as an admin.
• Go to Settings → Admin → General Settings > Integration Settings.
• If you had not configured ManageEngine O365 Manager Plus, please check if it is added now. If you had already integrated Exchange Reporter Plus with O365 Manager Plus, please check if the configuration settings are the same or have been modified.
• In the Org/Tenant Settings, check if there are new, additional, or unsanctioned Exchange organizations or tenants are configured.
• Check whether the Mail Server settings (Settings → Admin → General Settings → Server Settings) have been altered.

What if I find that my installation has been compromised?

If you find or doubt that your Exchange Reporter Plus installation has been compromised:

1. Shut down the product.
2. Restore from a previous backup, to undo unnecessary or unauthorized changes.
3. Update the product to the latest build, 5510, using the service pack.
4. Restart Exchange Reporter Plus.

What should I do to protect Exchange Reporter Plus?

We recommend that you update to the latest build, 5510, even if your instance is unaffected. If, for any reason, you cannot upgrade immediately, perform the following mitigation steps and update to the latest build as early as possible.

1. Stop Exchange Reporter Plus.
2. Remove or comment the following content from the file web.xml in the path \webapps\erp\WEB-INF\web.xml.
   <!-- servlet-mapping>
   <servlet-name>UpdateProductDetails</servlet-name>
   <url-pattern>/servlet/UpdateProductDetails</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
   <servlet-name>HSKeyAuthenticator</servlet-name>
   <url-pattern>/servlet/HSKeyAuthenticator</url-pattern>
   </servlet-mapping>
   
   <servlet>
   <servlet-name>HSKeyAuthenticator</servlet-name>
   <servlet-class>com.manageengine.ads.fw.servlet.HSKeyAuthenticator</servlet-class>
   </servlet>
   
   <servlet>
   <servlet-name>UpdateProductDetails</servlet-name>
   <servlet-class>com.manageengine.ads.fw.servlet.UpdateProductDetails</servlet-class>
   </servlet>-->

   Note: Deleting or commenting these will disable the data synchronization and flow of data with the integrated products.

3. Restart Exchange Reporter Plus.

If you need further information, have any questions, or face any difficulties upgrading or performing the recommended steps, please get in touch with us at support@exchangereporterplus.com, or +1 844 649 7763 (toll free).