ManageEngine Disclosure #3

By Fortra's Digital Defense

Digital Defense is disclosing vulnerabilities identified in ManageEngine’s ADSelfService Plus application. ManageEngine was prompt in responding to the identified flaws and providing fixes for these security issues.

A patched version of ADSelfService Plus can be downloaded from the ManageEngine site at: https://www.manageengine.com/products/self-service-password/download.html

Clients who currently use Digital Defense’s Frontline Vulnerability Manager™ platform can sweep for the presence of these issues via Vulnerability Management: performing a full vulnerability assessment scan or selecting CVC ManageEngine ADSelfService Plus Multiple Vulnerabilities (123850).

 

Details of the vulnerabilities are as follows:

 

Summary:

DDI-VRT-2018-16 - Credential Disclosure

DDI-VRT-2018-17 - Reflective Cross-Site Scripting

 

Details:

Vulnerability: NTLM Hash Disclosure / SSRF
Impact: A remote, unauthenticated attacker could leverage this flaw to obtain the NTLM hash for the account running the ADSelfService Plus product.
Application/Version Affected:
ADSelfService Plus 5.5 build 5515

Details: The ADSelfService Plus product is vulnerable to a Server-Side Request Forgery (SSRF) which can be leveraged to obtain NTLM hashes when the service is configured to use heightened privileges. The disclosed hash can then be relayed to other assets. This application is often configured to use heightened privileges for Active Directory password resets and can be found externally.

 

Vulnerability: Reflected Cross-Site Scripting
Impact: Reconnaissance data gathering.
Application/Version Affected:
ADSelfService Plus 5.5 build 5515

Details: The ADSelfService Plus product is vulnerable to reflected XSS which can be leveraged for phishing purposes.

Share This