How to identify and mitigate the unauthenticated product integration vulnerability

Some versions of ADManager Plus have the unauthenticated change to integration system vulnerability, CVE-2020-24786, which was reported on Medium by Florian Hauser. This article explains how you can identify if your ADManager Plus installation is affected, and fix it. It also offers the mitigation steps to protect your installation in case it is not affected.

What is the issue?

ADManager Plus had a vulnerable endpoint which allowed a user to integrate his/her installation with any other ManageEngine product installation, bypassing authentication. This could lead to data leak.

Whom does it affect?

Users using ADManager Plus versions below 7055.

What is the severity level of the vulnerability?

This is a critical issue. As this vulnerability could be exploited without authentication, from any publicly exposed ADManager Plus installation, the risks posed could be critical.

How do I check if my installation has been compromised?

Log in to ADManager Plus and:

• In the Integrations (Admin tab → System Settings → Integrations), if you had not configured any ManageEngine products (ADSelfService Plus, ServiceDesk Plus, and PAM360), please check if they are added now. If you had already integrated ADManager Plus with any of these ManageEngine products, please check if their configuration settings are the same or modified.
• In the Domain Settings, check if there are new, additional, or illegitimate domains configured.
• Check if the Logon Settings (Delegation tab → Configuration), like SSO, TFA, and the Email Server settings (Admin tab → General Settings → Server Settings) are same or changed.

What if I find that my installation is compromised?

If you find or doubt that your ADManager Plus installation is compromised,

• Shut down the product.
• Restore from a previous backup, to undo unnecessary or unauthorized changes.
• Update the product to the latest build, 7055. Download the service pack from here. You can download the complete build from here.
• Restart ADManager Plus.

What should I do if my installation is not compromised, to protect it?

We recommend that you upgrade to the latest build (7055) even if your instance is unaffected. Download the service pack from here; complete build from here. If, for any reason you cannot upgrade immediately, perform the following mitigation steps and upgrade to the latest build at the earliest possible.

1. Stop ADManager Plus.
2. Remove or comment the following content from the file web.xml in the path \ManageEngine\ADManager Plus\webapps\adsm\WEB-INF\web.xml
   <!-- servlet-mapping>
   <servlet-name>UpdateProductDetails</servlet-name>
   <url-pattern>/servlet/UpdateProductDetails</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
   <servlet-name>HSKeyAuthenticator</servlet-name>
   <url-pattern>/servlet/HSKeyAuthenticator</url-pattern>
   </servlet-mapping>
   
   <servlet>
   <servlet-name>HSKeyAuthenticator</servlet-name>
   <servlet-class>com.manageengine.ads.fw.servlet.HSKeyAuthenticator</servlet-class>
   </servlet>
   
   <servlet>
   <servlet-name>UpdateProductDetails</servlet-name>
   <servlet-class>com.manageengine.ads.fw.servlet.UpdateProductDetails</servlet-class>
   </servlet>-->

   Note: Deleting or commenting these will disable the data synchronization and flow of data with the integrated products.

3. Restart ADManager Plus

If you need further information, have any questions or face any difficulties upgrading or performing the recommended steps, please get in touch with us at support@admanagerplus.com, or +1-844-245-1108 (toll free).