Unauthenticated File/Directory Creation Vulnerability in ManageEngine Password Manager Pro, PAM360 and Access Manager Plus

Severity : Medium

CVE ID : CVE-2022-35404

Details :
An unauthenticated file/directory creation vulnerability (CVE-2022-35404) was reported in Password Manager Pro, PAM360 and Access Manager Plus. This vulnerability allows an adversary to create arbitrary directories and multiple small-sized files in the installation server.

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
Password Manager Pro	12100 and below	12101	24-06-2022
PAM360	5500 and below	5510	23-06-2022
Access Manager Plus	4302 and below	4303	24-06-2022

We fixed this issue by adding appropriate authentication checks in our server side source code, where we create and assign a unique token for every auto logon session, and validate the tokens before initiating a session.

Impact:
This vulnerability allows adversaries to multiple create arbitrary directories and files in the installation servers, which can ultimately impact the storage capacity of the servers.

Steps to Upgrade:

1. Download the latest upgrade pack from the following links for the respective products:
   • PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
   • Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
   • Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Katie (Tenable).

Please contact the product support for further details at the below mentioned email addresses:

PAM360: pam360-support@manageengine.com

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com