SB2022052502 - Multiple vulnerabilities in Zoho ManageEngine ADSelfService Plus

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2021-37423)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure communication during password synchronization. A remote unauthenticated attacker can delete the real Password Sync Agent from the database and register a fake Password Sync Agent, breaching the sync agent functionality.

2) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the username information in the request URL is sent to the ADSelfService Plus server upon successful IdP authentication. A remote attacker can obtain this information in certain cases.

Remediation

Install update from vendor's website.

References

• https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-37423.html
• https://www.manageengine.com/products/self-service-password/release-notes.html#6200