Zoho ManageEngine ADSelfService Plus Critical Authentication Bypass Vulnerability

Zoho has released a security advisory and update for a critical authentication bypass vulnerability in their ADSelfService Plus product.

Threat ID:: CC-3939
Threat Severity:: Medium
Threat Vector:: Vulnerability
Published:: 9 September 2021 11:32 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Zoho has released a security advisory and update for a critical authentication bypass vulnerability in their ADSelfService Plus product.

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 6114

Zoho ManageEngine ADSelfService Plus

Threat details

Introduction

Zoho has released details of a vulnerability in their ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory and cloud apps. The vulnerability, tracked as CVE-2021-40539, is an authentication bypass vulnerability affecting the REST API URL. An attacker could exploit this vulnerability by sending a specially crafted request and then carry out subsequent attacks resulting remote code execution (RCE).

Active exploitation

Zoho has detected indicators of vulnerability CVE-2021-40539 being actively exploited.

Detections

Organisations can identify if their system has been affected by an exploit of this vulnerability by searching the access log entries in the \ManageEngine\ADSelfService Plus\logs folder, for the following strings:

/RestAPI/LogonCustomization
/RestAPI/Connection

A system has been affected if either of these two entries are found in the logs.

In addition, affected systems, running versions 6113 and prior, will have the following files in the ADSelfService Plus installation folder:

service.cer in \ManageEngine\ADSelfService Plus\bin folder
ReportGenerate.jsp in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports folder

Threat updates

Date	Update
8 Nov 2021	Ongoing campaign exploiting Zoho ManageEngine ADSelfService Plus Palo Alto has warned of an ongoing campaign exploiting CVE-2021-40539 critical vulnerability in Zoho's ManageEngine AD SelfService Plus. At least nine organisations have been compromised, including healthcare, in attacks that aim to steal credentials, maintain access, and extract sensitive date. Having gained access by exploiting CVE-2021-40539, attackers deploy a dropper to deliver Godzilla web shells on compromised servers to maintain access to the system. They then deploy the open-source backdoor NGLite and KdcSponge credential stealer.

Date

Update

8 Nov 2021

Ongoing campaign exploiting Zoho ManageEngine ADSelfService Plus

Palo Alto has warned of an ongoing campaign exploiting CVE-2021-40539 critical vulnerability in Zoho's ManageEngine AD SelfService Plus. At least nine organisations have been compromised, including healthcare, in attacks that aim to steal credentials, maintain access, and extract sensitive date. Having gained access by exploiting CVE-2021-40539, attackers deploy a dropper to deliver Godzilla web shells on compromised servers to maintain access to the system. They then deploy the open-source backdoor NGLite and KdcSponge credential stealer.

Remediation advice

Organisations running ADSelfService Plus versions prior to 6114 are vulnerable and should immediately review Zoho's Security Advisory - CVE-2021-40539 and update ADSelfService Plus to the latest build, 6114.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2021-40539

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Last edited: 7 December 2021 4:06 pm