Zoho ManageEngine CVE-2021-40539 Vulnerability Actively Exploited in the Wild

Summary

CISA recently released an advisory about the active exploitation of a newly identified vulnerability, CVE-2021-40539, in ManageEngine ADSelfService Plus
Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution
CVE ID CVE-2021-40539
CVSS:3.0 Score 9.8
TLP# GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
 

Executive Summary

  • CISA recently released an advisory about the active exploitation of a newly identified vulnerability, CVE-2021-40539, in ManageEngine ADSelfService Plus.
  • ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Versions up to 6113 are affected by this vulnerability.
  • Zoho released the patch for ManageEngine ADSelfService Plus build 6114 on 6 September 2021, which fixes this vulnerability.
  • Threat actors could exploit this vulnerability to compromise the internal network, thereby causing remote code execution and/ or exfiltration of sensitive information.
 

Analysis

ManageEngine ADSelfService Plus is a secure, web-based, end-user password reset management software. The security issue identified as CVE-2021-40539 is considered critical as it allows a remote, unauthenticated attacker to execute arbitrary malicious code on a vulnerable system.   This is an authentication bypass vulnerability which affects the REST API URLs that, in turn, could result in remote code execution (RCE). Based on the patch released by Zoho, this vulnerability was caused due to a path normalization bug.   Normalizing a path is the process where the coder modifies the string which identifies a path or file so that it conforms to a valid path on the target operating system.  
Code snippet used for path normalization
Code snippet used for path normalization
 
Identifying if your installation is affected
  ManageEngine has developed a special tool to determine if an ADSelfService Plus installation is vulnerable to the above-mentioned authentication bypass flaw.
  1. Download this ZIP file and extract its content to \ManageEngine\ADSelfService Plus\bin folder.
  2. Right-click on the RCEScan.bat file and run as administrator.
  3. A command prompt window will open. If your installation is affected, you will get the following message:
"Result: Your ADSelfService Plus installation is affected by authentication bypass vulnerability."  
Screenshot of the message displayed on a vulnerable installation
Screenshot of the message displayed on a vulnerable installation
 
Steps to follow if your installation is compromised
  After confirming that your installation is affected by the vulnerability, follow the steps below to rectify it:
  • Firstly, disconnect the machine containing ADSelfService Plus, from your network.
  • Create a backup of the ADSelfService Plus database through these steps.
  • Once all the business-critical data has been successfully backed up, format the compromised machine.
  • Now, again download* and install ManageEngine ADSelfService Plus.
  • After completing the installation, restore the backup and start the server.
  • Once the server is up and running, use the service pack to upgrade the installation to the latest build, which is 6114.
  • Examine accounts for unauthorized access or use. Also, look for signs of lateral movement from the faulty equipment to other machines. If there are any indications suggesting the Active Directory accounts have been compromised, reset their passwords.
*Note:
  • Make sure you're downloading the EXE of the same build as the one you saved the backup for in step 2.
  • Instead of using the impacted machine for this new installation, it is strongly advised to use a different machine.
 

Impact & Mitigation

Impact Mitigation
  • Remote code execution allows the attackers to take control of the target system.
  • Initial access to a corporate endpoint may potentially enable lateral movements in the internal network.
  • Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.
  • Update ADSelfService Plus to the latest build, 6114 - http://csek.me/Ct0I
  • Ensure that ADSelfService Plus is not directly accessible from the internet.
 

References

Table of Contents

Request an easy and customized demo for free