Severity : High
CVE ID : CVE-2023-35785
Details :
This advisory addresses an TFA bypass vulnerability via a few TOTP authenticators in multiple ManageEngine products. To leverage this vulnerability, a valid pair of username and password is required. The affected products and patch details are below:
| Product Name | Impacted Version(s) | Fixed Version(s) | Released On |
|---|---|---|---|
| Active Directory 360 | 4315 and below | 4316 | 20/06/23 |
| ADAudit Plus | 7202 and below | 7203 | 19/06/23 |
| ADManager Plus | 7200 and below | 7201 | 20/06/23 |
| Asset Explorer | 6993 and below 7002 and below |
6994 7003 |
19/06/23 |
| Cloud Security Plus | 4161 and below | 4162 | 21/06/23 |
| Data Security Plus | 6110 and below | 6111 | 21/06/23 |
| Eventlog Analyzer | 12301 and below | 12302 | 19/06/23 |
| Exchange Reporter Plus | 5709 and below | 5710 | 21/06/23 |
| Log360 | 5315 and below | 5316 | 19/06/23 |
| Log360 UEBA | 4045 and below | 4046 | 20/06/23 |
| M365 Manager Plus | 4529 and below | 4531 | 21/06/23 |
| M365 Security Plus | 4529 and below | 4531 | 21/06/23 |
| Recovery Manager Plus | 6061 and below | 6062 | 21/06/23 |
| ServiceDesk Plus | 14302 and below 14204 and below |
14303 14205 |
19/06/2023 |
| ServiceDesk Plus MSP | 14300 and below | 14301 | 19/06/2023 |
| SharePoint Manager Plus | 4402 and below | 4403 | 21/06/23 |
| Support Center Plus | 14300 and below | 14301 | 21/06/23 |
Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of the above products immediately.
Impact:
This vulnerability allows an adversary to bypass the two factor authentication and take over the victim's account.
Note: ManageEngine On-Demand/cloud products are not affected by this vulnerability.
Acknowledgements:
This vulnerability was reported by dalt4sec through our Bug Bounty program.
Please contact our product support or security@manageengine.com if you need any further assistance.