Our response to CVE-2023-35719

Recently, a concern was raised by a third party, referred as CVE-2023-35719, regarding a suspected vulnerability in our ManageEngine ADSelfService Plus on-premises product. After a thorough investigation, we have determined that the reported issue is a consequence of insecure configurations. In this post, we would like to address this concern and educate our customers on the steps they are required to take to ensure the security of their installations.

The reported concern revolves around the usage of our product in HTTP mode without configuring Transport Layer Security (TLS) appropriately. It is crucial to note that ADSelfService Plus product allows customers to explore the functionalities during the proof-of-concept (PoC) stage without requiring a valid TLS certificate. However, it is essential to understand that this mode should only be used for initial exploration and not in a production environment.

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over the internet. By configuring our product in HTTPS mode, which involves obtaining and installing a valid TLS certificate, the traffic between clients and the server becomes encrypted and protected against potential security threats. It ensures the confidentiality and integrity of data transmitted between the parties involved.

To ensure the security of our on-premise server product, we have issued comprehensive deployment guidelines to our customers. These guidelines explicitly highlight the importance of configuring our product in HTTPS mode for secure deployments. Please refer:

https://download.manageengine.com/products/self-service-password/adselfservice-plus-ssl-installation-guide.pdf

https://download.manageengine.com/products/self-service-password/adselfservice-plus-post-deployment-security-measures.pdf

With respect to our ADSelfService Plus Login Agent, it is equally important to properly deploy and configure the agent software, which is installed on client computers and communicates with the server. If the server is configured in non-HTTPS mode (without TLS) during proof-of-concept (PoC) stage, the agent will communicate using the HTTP protocol. However, when moving to the production stage, customers are required to configure TLS on the server and reconfigure the agent to operate in HTTPS (TLS) mode by reinstalling it. This ensures secure communication between agents and servers, maintaining the confidentiality and integrity of the transmitted data.

To streamline the Login Agent deployment process and ensure the adherence to secure configurations, we offer a Login Agent scheduler functionality. This feature allows customers to install the agent on all user machines within their domain automatically and updates any configuration changes (like HTTP to HTTPS). Please refer to our documentation for the Login Agent scheduler.

To mitigate the risks associated with misconfigurations, ManageEngine emphasize the following secure deployment guidelines:

1. While deploying our product to production, always procure a valid TLS certificate and configure the product in HTTPS mode to ensure secure communication between clients and servers. Ensure that the product access URL is configured to HTTPS mode after installing the TLS certificate. Please refer to our documentation here.
2. The option to disable TLS certificate validation should be used sparingly, only for troubleshooting or product exploration during the PoC stage. It should never be disabled in the production environment to maintain the security.
3. Install Login Agents only after configuring the server and the Access URL in HTTPS mode. If you have installed Login Agents during HTTP mode (PoC stage), reinstall the agents after configuring the TLS and Access URL, or configure Login Agent schedulers.
4. Keep your servers and agents up-to-date. Software updates and patch releases are essential for maintaining the security of any software product. As technology advances, new vulnerabilities and security threats emerge, and software vendors continuously work to address these risks by releasing updates and patches. By using the latest software versions, users can benefit from the latest security enhancements, fixes, and safeguards against potential vulnerabilities.

We would like to confirm that ADSelfService Plus, when running with the proper TLS configuration, is not impacted by the security concern that was disclosed.

To further enhance the security of our product, we have identified some areas for improvement. We will plan to introduce in-product banners that will alert product administrators of any potential misconfigurations. These alerts will provide proactive notifications, enabling timely action to rectify any security concerns.

We are committed to ensuring the utmost protection for our users' data and maintaining the integrity of our products, and providing ongoing support, education, and resources to assist our customers in implementing best practices for secure deployment.

If you have any questions, concerns, or require assistance with the deployment or configuration of our product, please reach out to our dedicated customer support team at support@adselfserviceplus.com.