About

Zoho Manage Engine ADSelfService Plus prone to critical vulnerability

Zoho’s Manage Engine is in continuous news these days. It has run into another critical vulnerability that allows the attacker to remotely execute malicious code on the target. The vulnerability on Manage Engine affects the ADSelfService Plus. The vulnerability is being tracked under CVE-40539. The CVSS score of this vulnerability is 9.8, and the NIST site also considers this as a critical vulnerability.

What is the ADSelfService Plus vulnerability on the Zoho Manage Engine?

The vulnerability on the ADSelfService Plus is an authentication bypass vulnerability that makes use of REST API endpoints to attack the system. This is a remote code execution vulnerability that has a serious impact for the infrastructure. The vulnerability is being exploited by hackers, who are attempting to plant malicious payloads on the affected systems.

The vulnerability affects ADSelfService Plus builds up to build 6113. Older versions are also impacted due to this RCE vulnerability. Zoho’s description of the vulnerability is mentioned here:

This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.

Since this vulnerability is being actively targeted by the hackers, it may be a useful idea to verify the access logs and validate if your Manage Engine install has been impacted with the vulnerability.

In \ManageEngine\ADSelfService Plus\logs folder, search the access log entries for the strings listed below:

  1. /RestAPI/LogonCustomization
  2. /RestAPI/Connection

If these entries are found in the access logs, it implies your installation has been targeted by the attackers. You could also verify the compromise by validating the presence of the service.cer and reportgenerate.jsp files in the below mentioned file paths on ADSelfService Plus:

  1. service.cer in \ManageEngine\ADSelfService Plus\bin folder.
  2. ReportGenerate.jsp in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports folder.

If these files are present in the folder locations under ADSelfService Plus installation folders, then your Manage Engine’s ADSelfService Plus is affected. You must upgrade the build of ADSelfService Plus to 6114 to mitigate this threat.

Resolution of CVE-2021-40539 on ADSelfService Plus

Irrespective of the fact whether your Manage Engine has been impacted, you must upgrade the current ADSelfService Plus build to 6114. The upgrade is available through service pack for the ADSelfService Plus. You can download the service packs directly from the Manage Engine website here – https://www.manageengine.com/products/self-service-password/service-pack.html

If you need assistance with the upgrade, or face any difficulties updating ADSelfService Plus, please get in touch with Manage Engine’s ADSelfService Plus team at [email protected], or 1-888-720-9500 (toll free).

Summary

ADSelfService Plus runs a CVSS 9.8 critical vulnerability on builds up to 6113. This means that all installations of ADSelfService Plus are affected. The mitigation lies in upgrading the build to 6114 using the latest service pack of ADSelfService Plus.