Zoho ManageEngine ADSelfService Plus Vulnerability

By Frank Wood on October 7, 2021

(By: Frank Wood on September 26, 2021)

Executive Summary

Zoho’s ManageEngine ADSelfService Plus is an active directory (AD) password management and single sign on utility that allows users to perform various account functions that typically require requests to information technology (IT) administrators to perform. This utility is a convenient way for users to change passwords and reset locked accounts from Windows, Linux, and MacOS systems as well as iOS and Android devices. [4] While the main focus of the software is for users, it also enforces strict password policies such as password expiration, dictionary filters, pattern checking, and multi-factor authentication (MFA). [4]

On September 6, 2021, ManageEngine released build 6114 after it was discovered that a vulnerability was actively being exploited by advanced persistent threat (APT) cyber actors since August of 2021. [2] This prompted Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to release a joint advisory about the vulnerability and advise ManageEngine ADSelfService Plus patrons to upgrade to the released build and enforce immediate password changes to all users within the organization.

The impact of the exploitation has been determined to be so critical that the FBI is leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. [2]

Vulnerability

CVE-2021-40539 – Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. [5] The attack allows the APT cyber actor to upload a .zip file containing a JavaServer Pages (JSP) webshell masquerading as an x509 certificate: service.cer. Subsequent requests are then made to different API endpoints to further exploit the victim’s system. [1]

Once the initial attack is initiated, the JSP webshell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, continues the compromised access. [1]

Impact

Due to APT cyber actors being behind the exploitation of this vulnerability, the targets of this attack are widely ranged and could have devastating results. The CISA alert makes it clear that attacks based on the recently discovered ManageEngine vulnerability are already taking place across multiple targets in many sensitive industries. [3] The target that CISA listed are academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors – including transportation, IT, manufacturing, communications, logistics, and finance. Illicitly obtained access and information may disrupt company operations and subvert US research in multiple sectors. [1]

Mitigation

The mitigation for this vulnerability is to upgrade the Zoho ManageEngine ADSelfService Plus to build 6114 which was released on September 6, 2021. Additionally, the FBI, CISA, and CGCYBER states that if there is any indication that the NDTS.dit file was compromised, it recommends that domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets. [1]

References

[1] CISA. (September 16, 2021). “Alert (AA21-259A): APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus.” us-cert.cisa.gov. Accessed September 23, 2021. https://us-cert.cisa.gov/ncas/alerts/aa21-259a.

[2] Greig, J. (September 17, 2021). “CISA warns of APT actors exploiting newly identified vulnerability in ManageEngine ADSelfService Plus.” ZDNet.com. Accessed September 23, 2021. https://www.zdnet.com/article/cisa-warns-of-apt-actors-exploiting-newly-identified-vulnerability-in-manageengine-adselfservice-plus/.

[3] Leyden, J. (September 22, 2021). “Weaponized ManageEngine flaw poses ‘serious risk’ to high-profile US targets – CISA.” portswigger.net. Accessed September 23, 2021. https://portswigger.net/daily-swig/weaponized-manageengine-flaw-poses-serious-risk-to-high-profile-us-targets-cisa.

[4] ManageEngine. (n.d.). “Overview.” manageengine.com. Accessed September 23, 2021. https://www.manageengine.com/products/self-service-password/?pos=MEhome&loc=ProdMenu&cat=AD&prev=AB2.

[5] Tenable. (September 14, 2021). “CVE-2021-40539.” Tenable.com. Accessed September 23, 2021. https://www.tenable.com/cve/CVE-2021-40539.