Pricing  Get Quote
 
 

Security Advisory

Security advisory - ADSelfService Plus authentication bypass vulnerability

CVE code.: CVE-2021-40539

Severity.: Critical

Versions affected.: ADSelfService Plus builds up to 6113

Fix: ADSelfService Plus build 6114 ( Sep 7, 2021)

This page covers details of the vulnerability and an incident response plan if your system is affected. For more information on the latest updates and the timeline of the vulnerability, you can visit this page. Have questions about this vulnerability? Check out our detailed FAQ page. You can also sign up for a complementary vulnerability audit on this page. Our emergency support team will help you through a one-on-one session and manually run the tool, check for indicators of compromise, and answer all your questions.

We have partnered with Veracode, an independent application security company, to conduct manual pen tests on ADSelfService Plus so that we get a third-person perspective on the security footing of the solution.

Introduction

We were notified about an authentication bypass vulnerability in ADSelfService Plus affecting the REST API URLs that could result in remote code execution.

Details

The Rest API URLs are authenticated by a specific security filter in ADSelfService Plus.

Attackers used specially crafted Rest API URLs that were able to bypass this security filter due to an error in normalizing the URLs before validation. This, in turn, gave attackers access to REST API endpoints, and they exploited the endpoints to perform subsequent attacks such as arbitrary command execution. The following exploit analysis flowchart shows how the attackers exploited the vulnerability.

Block User Tab CVE-2021-40539 exploit analysis flowchart

How do I check if my installation is affected?

There are three ways to check if your installation is affected:

1. Run our exploit detection tool

We have developed an exploit detection tool to help you identify whether your installation has been affected by this vulnerability. You can download the tool here.

Note: A discrepancy was found while running an earlier version of this tool as an administrator. This was reported by Cyberoo CERT and has been fixed as of June 2, 2023.

Once you have downloaded the file, follow these steps:

  1. Extract the tool to the \ManageEngine\ADSelfService Plus\bin folder.
  2. Right-click on the RCEScan.bat file, and select Run as administrator.
  3. A Command Prompt window will open and the tool will run a scan. If your installation is affected, you will get the following message:
    "Result: Your ADSelfService Plus installation is affected by authentication bypass vulnerability."

If you want to check for logs manually, you can follow the steps given below.

2. Check for specific log entries

  1. Access logs

    In the \ManageEngine\ADSelfService Plus\logs folder, search the access log files with the pattern "access_log_<date>.txt" and check for entries with the strings listed below:

    1. /../RestAPI
    2. /./RestAPI

    The image below shows an access log entry example with the above mentioned strings:

    Block User Tab

  2. ServerOut logs

    In the \ManageEngine\ADSelfService Plus\logs folder, search the access log files with the pattern "serverOut_<date>.txt" and check for an exception as shown in the image below:

    Block User Tab

  3. ADS logs

    In the \ManageEngine\ADSelfService Plus\logs folder, search the access log files with the pattern "adslog_<date>.txt" and check for Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig as shown in the image below:

    Block User Tab

3. Check for specific files in the system

If you are running ADSelfService Plus version 6113 or lower, and if your system has been affected, your system may have the following files in the ADSelfService Plus installation folder:

  1. service.cer in the \ManageEngine\ADSelfService Plus\bin folder.
  2. ReportGenerate.jsp in the \ManageEngine\ADSelfService Plus\help\admin-guide\Reports and \ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports folders.
  3. adap.jsp in the \ManageEngine\ADSelfService Plus\webapps\adssp\help\html\promotion folder.
  4. custom.bat and custom.txt files in the C:\Users\Public\ folder.

Additionally, the below IoCs were published by CrowdStrike on Jun 22, 2023, in connection to their observation of a threat activity suspected to be exploiting CVE-2021-40539.

  1. selfsdp.jspx in \ManageEngine\ADSelfService Plus\webapps\adssp\html\promotion\ folder.
  2. error.jsp in \ManageEngine\ADSelfService Plus\webapps\adssp\html\ folder.
  3. tomcat-ant.jar in \ManageEngine\ADSelfService Plus\lib\ folder.
  4. Any folder other than selfservice in \ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\ folder.

Incident response plan

Check for system compromise:

- Run our exploit detection tool
- Check for access logs
- Check for specific files in the system

Is your system compromised?
Yes ↓ No ↓
1. Disconnect the affected system from your network. 1. Update to ADSelfService Plus build 6114 using the service pack.
2. Back up the ADSelfService Plus database using these steps. 2. If you need further information, have any questions, or face any difficulties updating ADSelfService Plus, please get in touch with us at adselfserviceplus-security@manageengine.com or +1.408.916.9890 (toll free).
3. Format the compromised machine.

Note: Before formatting the machine, ensure that you have backed up all critical business data.

 
4. Download and install ADSelfService Plus.

A. The build version of the new installation should be the same as that of the backup.

B. It is highly recommended to utilize a different machine for the new installation.

 
5. Restore the backup and start the server.  
6. Once the server is up and running, update ADSelfService Plus to the latest build, 6114, using the service pack.  
7. Check for unauthorized access or use of accounts. Also, check for any evidences of lateral movement from the compromised machine to other machines. If there are any indications of compromised Active Directory accounts, initiate password reset for those accounts.  
8. If you need further information, have any questions, or face any difficulties updating ADSelfService Plus, contact our emergency support hotline: adselfserviceplus-security@manageengine.com or +1.408.916.9890 (toll free)  

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  •  
  • Business Email *
  •  
  • Phone *
  •  
  • Problem Description *
  •  
  • Country
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.
Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust