How to identify and mitigate the unauthenticated product integration vulnerability
Some versions of AD360 have the unauthenticated change to integration system vulnerability. This article explains how you can identify if your AD360 installation is affected, and fix it. It also offers the mitigation steps to protect your installation in case it is not affected.
What is the issue?
AD360 had a vulnerable endpoint which allowed a user to integrate AD360 with any other supported ManageEngine product, bypassing authentication. This could lead to data leak.
Which version of AD360 is affected?
All AD360 builds below 4228 are affected.
What is the severity level of the vulnerability?
This is a critical issue. As this vulnerability could be exploited without authentication, from any publicly exposed AD360 installation, the risks posed could be critical.
How do I check if my installation has been compromised?
- Log in to AD360 as an admin.
- Go to Admin → Administration → AD360 Integration.
- If you had not configured any ManageEngine products (ADManager Plus, ADAudit Plus, ADSelfService Plus, Exchange Reporter Plus, O365 Manager Plus and RecoveryManager Plus), please check if they are added now. If you had already integrated AD360 with any of these ManageEngine products, please check if their configuration settings are the same or have been modified.
- Check whether the Logon Settings (Admin → Administration), including SSO and TFA, and Mail Server settings (Admin → General Settings → Server Settings) have been altered.
What if I find that my installation has been compromised?
If you find or doubt that your AD360 installation has been compromised:
- Shut down the product.
- Restore from a previous backup, to undo unnecessary or unauthorized changes.
- Update the product to the latest build, 4228, using the service pack.
- Restart AD360.
What should I do to protect AD360?
We recommend that you update to the latest build, 4228, even if your instance is unaffected. If, for any reason, you cannot upgrade immediately, perform the following mitigation steps and update to the latest build as early as possible.
- Stop AD360.
- Remove or comment the following content from the file web.xml in the path \webapps\ads\WEB-INF\web.xml.
<!-- servlet-mapping>
<servlet-name>UpdateProductDetails</servlet-name>
<url-pattern>/servlet/UpdateProductDetails</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HSKeyAuthenticator</servlet-name>
<url-pattern>/servlet/HSKeyAuthenticator</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>HSKeyAuthenticator</servlet-name>
<servlet-class>com.manageengine.ads.fw.servlet.HSKeyAuthenticator</servlet-class>
</servlet>
<servlet>
<servlet-name>UpdateProductDetails</servlet-name>
<servlet-class>com.manageengine.ads.fw.servlet.UpdateProductDetails</servlet-class>
</servlet>-->
Note: Deleting or commenting these will disable the data synchronization and flow of data with the integrated products.
- Restart AD360.
If you need further information, have any questions, or face any difficulties upgrading or performing the recommended steps, please get in touch with us at ad360-support@manageengine.com, or 1-844-245-1108 (toll free).