Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] ManageEngine ADAudit Plus Multiple Vulnerabilities

High

Synopsis

During the course of Nessus plugin development, Tenable discovered several issues in ADAudit Plus:

  1. A Cross-site Request Forgery (CSRF) vulnerability that allows for the creation of an arbitrary administrative account, if a currently authenticated administrator is tricked into clicking a link. The issue is due to the /TechnicianConfiguration.do script not requiring multiple steps, explicit confirmation, or a unique token when performing actions related to the script. This can be used to create an arbitrary account with administrative privileges.
  2. Multiple stored cross-site scripting (XSS) issues. Note that these are likely considered lower risk, as they require administrative authentication. However, not all administrators of an application are presumed to have the permissions and information that can be gained from such an attack.
    1. SaveMonitor.do MONITOR_NAME parameter
    2. UpdateMonitor.do MONITOR_NAME parameter
    3. SaveAlertProfile.do ALERT_PROFILE_NAME parameter
    4. UpdateAlertProfile.do ALERT_PROFILE_NAME parameter
    5. CreateCustomReport.do customReportName parameter
    6. SaveAuditAction.do ACTION_NAME and ACTION_DESCRIPTION parameters
    7. CreateScheduler.do scheduleName parameter
  3. A remote privilege escalation vulnerability that can be performed with the absolute least privileged account (e.g. 'Nothing' permissions with only read access), to gain full administrative access to the application. The issue is due to the /TechnicianConfiguration.do script not properly checking for user privileges, allowing any user to create a new administrative account.
  4. The web interface installs with default administrative credentials (admin/admin).

Solution

Zoho has released ADAudit Plus 5.0 Build 5020 to address these vulnerabilities.

Disclosure Timeline

2015-09-23 - Issues discovered
2015-09-23 - Issues reported to vendor via [email protected] as the security response center page doesn't allow attachments
2015-09-23 - Automated reply from ManageEngine, ##2453571## and ##2453700## created
2015-09-24 - Vendor acknowledgement from RB on ADSolutions Team. Asks to confirm testing latest build.
2015-09-24 - Confirm test was against latest build, reply to vendor.
2015-11-04 - Vendor says all issues addressed, will be in future build. No ETA at this time.
2016-02-17 - Ping vendor for status
2016-02-18 - Vendor says 4.6 Build 4600 is latest, doesn't specify if that fixes the reported issues
2016-02-18 - Ping vendor asking for confirmation it fixes all reported issues
2016-02-19 - Vendor says will check with product team.
2016-02-22 - Vendor confirms 4.6 Build 4600 fixes the issues we reported.
2016-02-22 - Ping vendor asking how Build 4600 fixes issues in Build 4681 that we reported, perhaps they meant 4690?
2016-02-22 - Vendor confirms 4.6 Build 4690 fixes the issues we reported.
2016-03-14 - Re-tested original issues against Build 4690, all still present
2016-03-15 - Vendor follow-up mail asking if app meeting our needs "with the fixes"
2016-03-15 - Reply to vendor informing them not a single issue was fixed
2016-03-15 - Vendor replies, will update Dev team of our note
2016-03-18 - Tenable emails a new security contact asking for help resolving this
2016-03-22 - Vendor says CSRF not fixed yet, XSS and Priv Esc fixed in Build 4690 "for New UI"
2016-03-22 - Tenable responds, asks for ETA on CSRF
2016-03-22 - Vendor system auto assigns ##7392310## to our response.
2016-03-28 - Ticket ##2453700## closed without explanation.
2016-03-30 - Tenable asks security@ what is going on with ticket. Report to them Build 4690 fixes NONE of the issues originally reported. Send them additional pages affected by XSS.
2016-03-31 - Vendor says CSRF ETA end of 2nd quarter, XSS and Priv Esc fixed in Build 4690 "New UI" still exists in "Old UI"
2016-04-06 - Tenable tests "New UI", CSRF appears fixed. XSS still vulnerable with trivial modification to payload. Report to vendor.
2016-04-07 - Vendor sends patch for 4690 / 4691, "included in our next release"
2016-04-11 - Vendor sends marketing mail announcing Build 4691 release. No mention of security fixes.
2016-05-18 - Vendor replies asking if everything is OK with application
2016-05-30 - Tenable sends simple PoC showing still vulnerable, regardless of UI.
2016-05-31 - Vendor replies, says fixed in 5.0 Build 4693.
2016-05-31 - Automated reply from ManageEngine, ##7428643## assigned. Second reply asking what our issue is.
2016-05-31 - Tenable asks for a copy of Build 4693 to test.
2016-06-10 - Vendor sends form letter asking for "detailed description of the issue".
2016-06-17 - Vendor sends second form letter asking for "detailed description of the issue".
2016-06-22 - Vendor informs us their request IDs start with '7' and to verify our ticket number.
2016-06-27 - Vendor says they have not heard from us, closes ##7428643##.
2016-08-18 - Tenable assumes we won't get the new build to test.
2016-10-26 - Tenable confirms all vulns are still present on 5.0.0 Build 5000
2016-10-29 - Tenable mails vendor with new details, provides timelines
2016-10-29 - Vendor auto-opens ##7501901##
2016-10-31 - Vendor says info forwarded to Dev. The upcoming release will make the Old UI "not available".
2016-12-?? - Vendor releases 5.0 Build 5020
2017-01-19 - Ping vendor for update
2017-01-19 - Vendor auto-opens ##2453700##
2017-01-20 - Vendor responds that version released in Dec restricts old UI and vulnerable links
2017-01-20 - Vendor also responds they will look into our request
2017-01-20 - Tenable asks which version specifically fixed these issues
2017-01-23 - Vendor confirms build version 5020 fixed these issues

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2017-06
Credit:
Edward Prevost, Tenable Network Security
CVSSv2 Base / Temporal Score:
9.0 / 7.4
CVSSv2 Vector:
(AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Affected Products:
ADAudit Plus 4.6.0 Build 4681, 5.0.0 Build 5000
Risk Factor:
High

Advisory Timeline

2017-01-23 - [R1] Initial Release