RESTAPI Restriction Bypass Vulnerability - CVE-2022-29081

Severity : High

CVE ID : CVE-2022-29081

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
Access Manager Plus	4000 to 4301	4302	13-04-2022
Password Manager Pro	10103 to 12006	12007	14-04-2022
PAM360	4001 to 5400	5401	15-04-2022

Details :
An authentication bypass vulnerability that allows an attacker to bypass security checks in specific RESTAPI URLs and gain unauthorized access to the application was reported.

The following RESTAPI URLs were affected by the vulnerability:

//RestAPI/SSOutAction
//RestAPI/SSLAction
//RestAPI/LicenseMgr
//RestAPI/GetProductDetails
//RestAPI/GetDashboard
//RestAPI/FetchEvents
//RestAPI/Synchronize

We fixed this issue by adding a security validation check on the API request URI in PAM360 and Password Manager Pro, and by removing unused API URLs in Access Manager Plus.

Impact :
The vulnerability allowed an attacker to invoke the following operations in all three products:

Restart the service
Access dashboard details
Apply a product license and get existing license details
Create new server certificates
Create/download server CSR, and apply server certificates
Fetch event logs, and set up synchronization schedules

In addition to the aforementioned, the vulnerability also allowed attackers to terminate active RDP sessions, launched via ManageEngine ServiceDesk Plus, on PAM360 and Password Manager Pro.

Steps to Upgrade:

Download the latest upgrade pack from the following links for the respective product:
- PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
- Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Evan Grant.

Please contact the product support for further details at the below mentioned email addresses:

PAM360: pam360-support@manageengine.com

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com