Security
Response Center

Emergency hotline

Emergency assistance for ADSelfService Plus vulnerability (CVE-2021-40539)

Notice

Vulnerability fixed. Update to ADSelfService Plus build 6114 or above immediately.

About the vulnerability

An authentication bypass vulnerability (CVE-2021-40539) that affects the REST API URLs that could result in remote code execution (RCE) was identified in ADSelfService Plus, ManageEngine's self-service password management, and single sign-on solution. ManageEngine rates this vulnerability affecting ADSelfService Plus builds 6113 and below as critical, and has noticed indications of exploitation by cyber actors. Instances of this vulnerability were first detected in August 2021, when malicious actors tried gaining access to ADSelfService Plus by exploiting CVE-2021-40539. This vulnerability allows malicious cyber actors to place webshells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. This was addressed by releasing the fix in build 6114.

In a security advisory ManageEngine released consecutively, it strongly urges users and administrators to update to ADSelfService Plus build 6114 or above. Referencing ManageEngine's advisory, the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity Infrastructure and Security Agency (CISA) in their join advisory have also recommended users to update to ADSelfService Plus build 6114 or above.

We have partnered with Veracode, an independent application security company, to conduct manual pen tests on ADSelfService Plus so that we get a third-person perspective on the security footing of the solution.

ADSelfService Plus build 6114

Released on September 6, 2021, fixes CVE-2021-40539. ManageEngine strongly urges users and administrators to update to ADSelfService Plus build 6114 or above.

Security advisory for CVE-2021-40539

Our security advisory covers the details of the vulnerability, a tool to check if your installation is affected, indicators of compromise (IOCs) and an incident response plan for quick remediation.

Read the advisory

Exploit detection tool

Use the exploit detection tool to run a quick scan and discover any compromises in your installation. The tool checks for the presence of any indicators of compromise (IOCs) associated with the vulnerability CVE-2021-40539 and notifies you if your system is infected.

Download the tool and check if you're compromised

Resources

Watch how to detect and mitigate any compromises in your installation.

How to use the remediation tool to check if your installation is affected
What to do immediately after confirming your installation is affected
What to do if your installation is not affected

Frequently asked questions

1. What is the CVE-2021-40539 vulnerability?

CVE-2021-40539 is an authentication bypass vulnerability concerning the REST API URLs in ADSelfService Plus. This is a critical issue and can allow attackers to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks and perform RCE.
2. Which versions of ADSelfService Plus has this vulnerability?

ADSelfService Plus builds up to 6113 are vulnerable.
3. How do I know if I've been affected by this vulnerability?
1. Run our exploit detection tool

We have developed a remediation tool to help you identify whether your installation has been affected by this vulnerability. You can download the tool here. Once you have downloaded, follow these steps:
- I. Extract the tool to the \ManageEngine\ADSelfService Plus\bin folder.
- II. Right-click on the RCEScan.bat file, and select Run as administrator.
- III. A Command Prompt window will open and the tool will run a scan. If your installation is affected, you will get the following message:
Result: Your ADSelfService Plus installation is affected by the authentication bypass vulnerability.
(or) To manually identify if your installation is affected, follow these steps:

2 (a). Check for specific log entries

a. access log
\ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"access_log_<date>.txt" and check for entries with the strings listed below:

/../RestAPI
/./RestAPI

The image below shows such an access log entry:

b. ServerOut log
In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"serverOut_<date>.txt" and check for an exception as shown in the image below:

c. ADS log
In \ManageEngine\ADSelfService Plus\logs folder, search the access log files of pattern '"adslog_<date>.txt" and check for an exception as shown in the image below:
2 (b). Check for specific files in the system

Affected systems may have the following files in the ADSelfService Plus installation folder if you are running versions 6113 or lower:
- I. service.cer in the \ManageEngine\ADSelfService Plus\bin folder.
- II. ReportGenerate.jsp in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports and \ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports folders.
- III. adap.jsp in the \ManageEngine\ADSelfService Plus\webapps\adssp\help\html\promotion folder.
- IV. custom.bat and custom.txt files in the C:\Users\Public\ folder.
Additionally, the below IoCs were published by CrowdStrike on Jun 22, 2023, in connection to their observation of a threat activity suspected to be exploiting CVE-2021-40539.
- V. selfsdp.jspx in \ManageEngine\ADSelfService Plus\webapps\adssp\html\promotion\ folder.
- VI. error.jsp in \ManageEngine\ADSelfService Plus\webapps\adssp\html\ folder.
- VII. tomcat-ant.jar in \ManageEngine\ADSelfService Plus\lib\ folder.
- VIII. Any folder other than selfservice in \ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\ folder.
4. What should I do to keep my environment safe from attackers exploiting this vulnerability?
Implement the remediation steps provided below at the earliest.
- If your installation is affected by the vulnerability
  1. Disconnect the machine with the installation from your network.
  2. Back up the ADSelfService Plus database using these steps.
  3. Format the compromised machine.
    Note: Before formatting the machine, ensure that you have backed up all critical business data.
  4. Download and install ManageEngine ADSelfService Plus. The build of the new installation should be the same as that of the backup.
  5. Restore the backup, and start the server. It is highly recommended to utilize a different hardware setup for the new installation.
  6. Once the server is up and running, update the installation to the latest build, 6114, using the service pack.
  7. Check for unauthorized access to or use of accounts. Also, check for any evidences of lateral movement from the compromised machine to other machines. If there are any indications of compromised Active Directory accounts, initiate password reset for those accounts.
  8. If you need further information, have any questions, or face any difficulties updating ADSelfService Plus, contact our emergency support hotline: adselfserviceplus-security@manageengine.com or +1-408-916-9890 (toll free)
- If your installation is not affected by the vulnerability
  Even if your installation is not affected by the vulnerability, we suggest you update to ADSelfService Plus build 6114 using the service pack.
5. How do I update ADSelfService Plus to build 6114?
Follow the below steps to update ADSelfService Plus to build 6114:
- Shut down ADSelfService Plus
  1. If the product runs as an application, click on Start --› All Programs --› ADSelfService Plus --› Stop ADSelfService Plus.
  2. If the product runs as a Windows service, click on Start --› Run --› type "services.msc" --› Stop "ManageEngine ADSelfService Plus".
- Execute the stopDB.bat file under <ADSelfService Plus>\bin directory.
- Backup ADSelfService Plus by zipping the contents of <ADSelfService Plus> directory.
- If you are using an external database server (MS SQL or MySQL), then take a backup of the database also. If you are using a MySQL server and have McAfee antivirus scanning the machine, then please pause the antivirus software till the update process is complete.
- Open Command Prompt and execute the UpdateManager.bat file under <ADSelfService Plus>\bin directory.
  1. For Windows Vista, Server 2008 and higher machines with User Account Control enabled, start the Command Prompt as an administrator (right-click Command Prompt and select 'Run as Administrator')
- Click Browse and select the PPM file that you have downloaded.
- Click on Install for the service pack. Depending on the amount of data to be migrated, the installation procedure may take a few minutes. Please do not terminate prematurely.
- Click Close and then Exit to quit Update Manager tool.
- Start ADSelfService Plus.
  1. If the product runs as an application, click on Start --› All Programs --› ADSelfService Plus --› Start ADSelfService Plus.
  2. If the product runs as a Windows service, click on Start --› Run --› type "services.msc" --› Start "ManageEngine ADSelfService Plus".
6. How do I find my current build number?

To find your current build number, log in to the ADSelfService Plus web client, and click the "License" link in the top pane. You'll find the build number in the License Details popup.
7. Are there any workarounds that address this vulnerability if I can't update immediately?

Currently, there are no workarounds to address this vulnerability. The threat posed by the vulnerability is critical. Therefore, we strongly recommend you update ADSelfService Plus to the latest build as soon as possible.
8. What is ManageEngine doing to address this vulnerability?

The new ADSelfService Plus build 6114 released on 7th September 2021 fixes the authentication bypass vulnerability.

You can use our exploit detection tool to check if your installation has been affected by this vulnerability. We've also put together an incident response plan to help you immediately address this vulnerability.

For any immediate support regarding this issue, customers can get in touch with us at adselfserviceplus-security@manageengine.com or +1-408-916-9890 (toll free).

To bolster the security of ADSelfService Plus further, our engineering and security teams are taking measures to improve the security of the product.

To ensure that ADSelfService Plus remains secure, we have teamed up with Veracode, an independent application security company, to conduct manual pen tests on ADSelfService Plus. You can learn more about how ManageEngine prevents vulnerabilities in ADSelfService Plus during its development process.
9. Where can I get complete details about this vulnerability and recommended actions?

We've put together a dedicated webpage to keep you up to date on the latest updates from our side, technicalities of the vulnerability, our incident response plan, and recommended actions. Read our security advisory for more info.

Vulnerability audit

In the event of an exploitation, or if you are worried and just want to make doubly sure that your installation is vulnerability free and secure, register below for a complimentary audit.

Our cybersecurity team will provide you personal assistance.

Thank you

Thank you for registering for our vulnerability audit. Our cybersecurity team will soon contact you to provide personal assistance.

By clicking 'Schedule personal assistance' you agree to processing of personal data according to the Privacy Policy.

Thank you for downloading this e-book. Please check your Inbox (or spam) to access this e-book.

Security Response Center

Emergency hotline

Notice

About the vulnerability

Security advisory for CVE-2021-40539

Exploit detection tool

Resources

How to use the remediation tool to check if your installation is affected

What to do immediately after confirming your installation is affected

What to do if your installation is not affected

Frequently asked questions

1. What is the CVE-2021-40539 vulnerability?

2. Which versions of ADSelfService Plus has this vulnerability?

3. How do I know if I've been affected by this vulnerability?

1. Run our exploit detection tool

2 (a). Check for specific log entries

2 (b). Check for specific files in the system

4. What should I do to keep my environment safe from attackers exploiting this vulnerability?

5. How do I update ADSelfService Plus to build 6114?

6. How do I find my current build number?

7. Are there any workarounds that address this vulnerability if I can't update immediately?

8. What is ManageEngine doing to address this vulnerability?

9. Where can I get complete details about this vulnerability and recommended actions?

Vulnerability audit

Our cybersecurity team will provide you personal assistance.

Thank you

Security
Response Center