CVE-2021-40539 – ZOHO ADSelfService Plus authentication bypass vulnerability – Nov 09, 2021

iSecurity is publishing threat advisory about critical vulnerabilities that need special attention:

1. An actively exploited authentication bypass vulnerability was identified in ManageEngine ADSefService Plus.
2. All versions of ADSelfService Plus upto build 6113 are affected.
3. Threat actors could exploit this vulnerability to compromise the internal network, thereby causing remote code execution and/ or exfiltration of sensitive information.
4. Zoho released the patch for ManageEngine ADSelfService Plus build 6114 which fixes this vulnerability.

Tracked as CVE-2021-40539, the vulnerability relates to an authentication bypass vulnerability affecting REST API URLs that could enable remote code execution, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of active exploitation attempts in the wild. The security shortcoming has been rated 9.8 out of 10 in severity.

• Please validate that ADSelfService Plus is patched and upto date till build 6114.
• Please immediately update to ADSelfService Plus build 6114 using the service pack.

Introduction
ManageEngine ADSelfService Plus is a secure, web-based, end-user password reset management program. This software helps domain users to perform password self-service, account self service and self service of their personal details (e.g telephone number, e-mail id, etc.,) in Microsoft Windows Active Directory. The Rest API URLs are authenticated by a specific security filter in ADSelfService Plus.

Attackers used specially crafted Rest API URLs that were able to bypass this security filter due to an error in normalizing the URLs before validation. This, in turn, gave attackers access to REST API endpoints, and they exploited the endpoints to perform subsequent attacks such as arbitrary command execution.

References

• https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
• https://www.bleepingcomputer.com/news/security/state-hackers-breach-defense-energy-healthcare-orgs-worldwide/amp/
• https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/

There are two ways to check if your installation is affected:

• Run exploit detection tool given by ZOHO download the tool here
  • Extract the tool to the \ManageEngine\ADSelfService Plus\bin folder.
  • Right-click on the RCEScan.bat file, and select Run as administrator.
  • A Command Prompt window will open and the tool will run a scan. If your installation is affected, you will get the following message:
    “Result: Your ADSelfService Plus installation is affected by authentication bypass vulnerability.”
• Check for specific files in your system.
  • If you are running ADSelfService Plus version 6113 or lower, and if your system has been affected, your system will have the following files in the ADSelfService Plus installation folder:
    • service.cer in the \ManageEngine\ADSelfService Plus\bin folder.
    • ReportGenerate.jsp in the \ManageEngine\ADSelfService Plus\help\admin-guide\Reports and \ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports folders.
    • adap.jsp in the \ManageEngine\ADSelfService Plus\webapps\adssp\help\html\promotion folder.
    • custom.bat and custom.txt files in the C:\Users\Public\ folder.