We have addressed an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus. This article provides more information on the issue and how to resolve it.
An authentication bypass vulnerability affecting REST API URLs, that could result in remote code execution (RCE).
This is a critical issue. We are noticing indications of this vulnerability being exploited.
ADSelfService Plus builds up to 6113 are affected.
This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.
ManageEngine has developed an exclusive tool to identify if an ADSelfService Plus installation has been affected by this authentication bypass vulnerability.
"Result: Your ADSelfService Plus installation is affected by authentication bypass vulnerability."
Besides using this tool, you can manually check whether your installation has been affected by following these steps.
In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"access_log_<date>.txt" and check for entries with the strings listed below:
The image below shows such access log entry:
In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"serverOut_<date>.txt" and check for an exception as shown in the image below:
In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"adslog_<date>.txt" and check for Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig as shown in the image below:
Affected systems will have the following files in the ADSelfService Plus installation folder if you are running versions 6113 or lower:
If you have confirmed that your installation has been compromised, follow these steps:
This vulnerability can be exploited in unpatched ADSelfService Plus installations. So, even if your installation has not been affected yet, you must update ADSelfService Plus to the latest build, 6114, using the service pack.
If you need further information, have any questions, or face any difficulties updating ADSelfService Plus, please get in touch with us at email@example.com, or 1-888-720-9500 (toll free).
Need further assistance? Fill this form, and we'll contact you rightaway.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.