Pricing  Get Quote
 
 

Security Advisory - CVE-2021-40539

We have addressed an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus. This article provides more information on the issue and how to resolve it.

What is the issue?

An authentication bypass vulnerability affecting REST API URLs, that could result in remote code execution (RCE).

What is the severity of this issue?

This is a critical issue. We are noticing indications of this vulnerability being exploited.

Which versions of ADSelfService Plus are affected?

ADSelfService Plus builds up to 6113 are affected.

How does it impact ADSelfService Plus customers?

This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.

How do I identify if my installation has been affected?

ManageEngine has developed an exclusive tool to identify if an ADSelfService Plus installation has been affected by this authentication bypass vulnerability.

  1. Download this ZIP file and extract its content to \ManageEngine\ADSelfService Plus\bin folder.
  2. Right-click on the RCEScan.bat file and run as administrator.
  3. A command prompt window will open. If your installation is affected, you will get the following message:

    "Result: Your ADSelfService Plus installation is affected by authentication bypass vulnerability."

    Block User Tab

Besides using this tool, you can manually check whether your installation has been affected by following these steps.

Checking for specific log entries

  1. Access log

    In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"access_log_<date>.txt" and check for entries with the strings listed below:

    1. /../RestAPI
    2. /./RestAPI

    The image below shows such access log entry:

    Block User Tab

  2. ServerOut log

    In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"serverOut_<date>.txt" and check for an exception as shown in the image below:

    Block User Tab

  3. ADS log

    In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"adslog_<date>.txt" and check for Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig as shown in the image below:

    Block User Tab

Checking for specific files in the product installation folder

Affected systems will have the following files in the ADSelfService Plus installation folder if you are running versions 6113 or lower:

  1. service.cer in \ManageEngine\ADSelfService Plus\bin folder.
  2. ReportGenerate.jsp in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports and \ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports folder.
  3. adap.jsp in \ManageEngine\ADSelfService Plus\webapps\adssp\help\html\promotion folder.
  4. custom.bat and custom.txt files in C:\Users\Public\ folder.

What should I do if my installation is affected?

If you have confirmed that your installation has been compromised, follow these steps:

  1. Disconnect the machine where ADSelfService Plus is installed from your network.
  2. Back up the ADSelfService Plus database using these steps.
  3. It is recommended to format the compromised machine after making sure there will be no lose of business-critical data.
  4. Download and install ManageEngine ADSelfService Plus.
    • Make sure you download the EXE of the same build as the one you backed up in step 2.
    • It is highly recommended to utilize a different machine for this new installation instead of the affected machine.
  5. Restore the backup, and start the server.
  6. Once the server is up and running, update the installation to the latest build 6114, using the service pack.
  7. Check for unauthorized access to or use of accounts. Also, check for any evidences of lateral movement from the compromised machine to other machines. If there are any indications of compromised Active Directory accounts, initiate password reset for those accounts.

What should I do if my installation is not affected?

This vulnerability can be exploited in unpatched ADSelfService Plus installations. So, even if your installation has not been affected yet, you must update ADSelfService Plus to the latest build, 6114, using the service pack.

If you need further information, have any questions, or face any difficulties updating ADSelfService Plus, please get in touch with us at adselfserviceplus-security@manageengine.com, or 1-888-720-9500 (toll free).

 

Request Support

Need further assistance? Fill this form, and we'll contact you rightaway.

Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management