iSecurity is publishing threat advisory about critical vulnerabilities that need special attention:
Tracked as CVE-2021-40539, the vulnerability relates to an authentication bypass vulnerability affecting REST API URLs that could enable remote code execution, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of active exploitation attempts in the wild. The security shortcoming has been rated 9.8 out of 10 in severity.
ManageEngine ADSelfService Plus is a secure, web-based, end-user password reset management program. This software helps domain users to perform password self-service, account self service and self service of their personal details (e.g telephone number, e-mail id, etc.,) in Microsoft Windows Active Directory. The Rest API URLs are authenticated by a specific security filter in ADSelfService Plus.
Attackers used specially crafted Rest API URLs that were able to bypass this security filter due to an error in normalizing the URLs before validation. This, in turn, gave attackers access to REST API endpoints, and they exploited the endpoints to perform subsequent attacks such as arbitrary command execution.
There are two ways to check if your installation is affected:
Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to firstname.lastname@example.org or email@example.com and we will add you to our distribution list.
We will also provide updates to organizations we are servicing through our Incident Response Retainer.
Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.
Please go ahead and share this with your peers.
For any other questions or concerns, please feel free to reach out to firstname.lastname@example.org.
The iSecurity Team