A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication & have free rein across users’ Active Directory (AD) & cloud accounts.
An authentication bypass vulnerability in the ManageEngine ADSelfService Plus platform leading to remote code execution offers up the keys to the corporate world.
This issue (CVE-2021-40539) has been actively exploited in the wild as a zero-day, explains the US Cybersecurity & Infrastructure Security Agency (CISA).
Zoho issued a patch on Tues., & CISA warned that admins should not only apply it immediately, but also ensure in general that ADSelfService Plus is not directly accessible from the internet. The issue affects builds 6113 & below (the fixed version is 6114).
The Zoho ManageEngine ADSelfService Plus is a self-service password management & single sign-on (SSO) solution for AD & cloud apps, meaning that any cyber-attacker able to take control of the platform would have multiple pivot points into both mission-critical apps (& their sensitive data) & other parts of the corporate network via AD.
It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users & attackers alike.
“Ultimately, this underscores the threat posed to internet-facing applications,” Matt Dahl, Principal Intelligence Analyst for Crowdstrike, noted. “These don’t always get the same attention as exploit docs with decoy content, but the variety of these web-facing services gives actors lots of options.”
This isn’t Zoho’s 1st zero-day rodeo. In March 2020, researchers disclosed a zero-day vulnerability in Zoho’s ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones & more from a central location.
The critical bug (CVE-2020-10189, with a CVSS score of 9.8) allowed an unauthenticated, remote attacker to gain complete control over affected systems – “basically the worst it gets,” researchers observed at the time.
Authentication Bypass & RCE
The issue is an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus, which could lead to remote code execution (RCE), according to Zoho’s knowledge-base advisory.
“This vulnerability allows an attacker to gain unauthorised access to the product through REST API endpoints by sending a specially crafted request,” according to the firm. “This would allow the attacker to carry out subsequent attacks resulting in RCE.”
Echoing CISA’s assessment, Zoho also noted that “We are noticing indications of this vulnerability being exploited.” The firm characterised the issue as “critical” although a CVSS vulnerability-severity rating has not yet been calculated for the bug.
Highly Targeted & Limited
Further technical details are for now limited (& no public exploit code appears to be visible as yet), but Dahl noted that the zero-day attacks have been going on for a while:
However, he commented that the attacks have thus far been highly targeted & limited, & possibly the work of a single unknown, as yet player.
“Actor(s) appeared to have a clear objective with ability to get in & get out quickly,” he tweeted.
He also noted similarities to the attacks taking place on Atlassian Confluence instances (CVE-2021-26084), which also started out as limited & targeted. However, in that case, researchers were able to “rapidly produce” a PoC exploit, he pointed out, & eventually there was proliferation to multiple targeted-intrusion players, usually resulting in crypto-mining activity (as seen in the recent Jenkins attack).
Atlassian Confluence, like AD SelfService Plus, allows centralised cloud access to a range of sensitive corporate information, being a collaboration platform where business teams can organise their work in one place.
Is Zoho AD SelfService Plus Vulnerable?
Users can tell if they’ve been affected by taking a look at the \ManageEngine\ADSelfService Plus\logs folder to see if the following strings are found in the access log entries:
Zoho also stated that users will find the following files in the ADSelfService Plus installation folder if running a vulnerable version:
- cer in \ManageEngine\ADSelfService Plus\bin folder.
- jsp in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports folder.