CISA has released an alert for the Zoho ManageEngine ADSelfService Plus authentication bypass vulnerability exploited by APT actors (CVE-2021-40539)

CISA has released a joint advisory regarding the recently exploited vulnerability in Zoho’s ManageEngine ADSelfService Plus. The advisory urges users to upgrade their tools, as APT attackers are aggressively exploiting a recently identified vulnerability. 
 
The FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) collaborated on this joint advisory to highlight the cyber threat associated with the active exploitation of a newly identified vulnerability.   
  
ADSelfService Plus from ManageEngine is popular self-service password management and single sign-on solution.  
 
The Common Vulnerability Scoring System (CVSS) has assessed CVE-2021-40539 as a major vulnerability that affects representational state transfer (REST) application programming interface (API) URLs and could allow remote code execution. Advanced persistent threat (APT) cyber attackers are likely among those exploiting the vulnerability, according to the FBI, CISA, and CGCYBER. Critical infrastructure organizations, US-cleared defense contractors, academic institutions, and other entities that use ManageEngine ADSelfService Plus are all at risk from the software’s exploitation. 
 
Cybercriminals and nation-states can exploit the vulnerability by uploading a .zip file containing a JavaServer Pages (JSP) web shell masquerading as an x509 certificate: service.cer, according to CISA. According to the advisory, more queries are sent to different API endpoints to further attack the victim’s system. 
 
After the initial exploitation, the JSP web shell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, continues the compromised access. 
 
Affected versions  
Zoho ManageEngine ADSelfService Plus versions up to build 6113 are the versions that are affected by this vulnerability. 
 
Mitigation  
Zoho has released ManageEngine ADSelfService Plus build 6114 to address the vulnerability. Customers are advised to refer to the Security Advisory for more updates about this vulnerability. 
 
Qualys Detection  
Qualys customers can scan their devices with QID 375840 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  
  
References 
https://us-cert.cisa.gov/ncas/alerts/aa21-259a 
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html 
https://www.securitymagazine.com/articles/96115-apt-actors-exploiting-newly-identified-vulnerability-in-manageengine-adselfservice-plus 
https://www.zdnet.com/article/cisa-warns-of-apt-actors-exploiting-newly-identified-vulnerability-in-manageengine-adselfservice-plus/ 

Leave a Reply

Your email address will not be published. Required fields are marked *