CVE code.: CVE-2021-40539
Versions affected.: ADSelfService Plus builds up to 6113
Fix: ADSelfService Plus build 6114 ( Sep 7, 2021)
This page covers details of the vulnerability and an incident response plan if your system is affected. For more information on the latest updates and the timeline of the vulnerability, you can visit this page. Have questions about this vulnerability? Check out our detailed FAQ page. You can also sign up for a complementary vulnerability audit on this page. Our emergency support team will help you through a one-on-one session and manually run the tool, check for indicators of compromise, and answer all your questions.
We were notified about an authentication bypass vulnerability in ADSelfService Plus affecting the REST API URLs that could result in remote code execution.
The Rest API URLs are authenticated by a specific security filter in ADSelfService Plus.
Attackers used specially crafted Rest API URLs that were able to bypass this security filter due to an error in normalizing the URLs before validation. This, in turn, gave attackers access to REST API endpoints, and they exploited the endpoints to perform subsequent attacks such as arbitrary command execution. The following exploit analysis flowchart shows how the attackers exploited the vulnerability.
There are three ways to check if your installation is affected:
We have developed an exploit detection tool to help you identify whether your installation has been affected by this vulnerability. You can download the tool here. Once you have downloaded the file, follow these steps:
If you want to check for logs manually, you can follow the steps given below.
In the \ManageEngine\ADSelfService Plus\logs folder, search the access log files with the pattern "access_log_<date>.txt" and check for entries with the strings listed below:
The image below shows an access log entry example with the above mentioned strings:
In the \ManageEngine\ADSelfService Plus\logs folder, search the access log files with the pattern "serverOut_<date>.txt" and check for an exception as shown in the image below:
In the \ManageEngine\ADSelfService Plus\logs folder, search the access log files with the pattern "adslog_<date>.txt" and check for Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig as shown in the image below:
If you are running ADSelfService Plus version 6113 or lower, and if your system has been affected, your system will have the following files in the ADSelfService Plus installation folder:
Check for system compromise:
|Yes ↓||No ↓|
|1. Disconnect the affected system from your network.||1. Update to ADSelfService Plus build 6114 using the service pack.|
|2. Back up the ADSelfService Plus database using these steps.||2. If you need further information, have any questions, or face any difficulties updating ADSelfService Plus, please get in touch with us at firstname.lastname@example.org or +1.408.916.9890 (toll free).|
|3. Format the compromised machine.
|4. Download and install ADSelfService Plus.
A. The build version of the new installation should be the same as that of the backup.
B. It is highly recommended to utilize a different machine for the new installation.
|5. Restore the backup and start the server.|
|6. Once the server is up and running, update ADSelfService Plus to the latest build, 6114, using the service pack.|
|7. Check for unauthorized access or use of accounts. Also, check for any evidences of lateral movement from the compromised machine to other machines. If there are any indications of compromised Active Directory accounts, initiate password reset for those accounts.|
|8. If you need further information, have any questions, or face any difficulties updating ADSelfService Plus, contact our emergency support hotline: email@example.com or +1.408.916.9890 (toll free)|
Need further assistance? Fill this form, and we'll contact you rightaway.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.