On September 16th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and United States Coast Guard Cyber Command (CGCYBER) released a new joint advisory titled – Alert (AA21-259A) APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus. Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to a REST API authentication bypass, which ultimately allows for remote code execution. The vulnerability has been assigned CVE-2021-40539.What Are the Technical Details of the Vulnerability?An authentication bypass vulnerability exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. Remote code execution is possible via affected REST API URL(s) that could allow for remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells within the victim environment. Once inside the victim environment, an adversary can conduct the following – Lateral movement, compromising administrator credentials, post exploitation, and exfiltrating registry hives and Active Directory files from a domain controller.Is this Being Exploited in the Wild?Yes. According to US-CERT, this is limited to targeted attacks by a sophisticated unnamed APT group.What Verticals are Being Targeted?According to the US-CERT alert, the following list of verticals have been observed to be targeted – academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors including transportation, IT, manufacturing, communications, logistics, and finance. What is the CVSS score?9.8 CRITICALHas the Vendor Issued a Patch?Yes, patches were released on September 6th, 2021 by the vendor. Please refer to the APPENDIX “ADSelfService Plus 6114 Security Fix Release” for details.What is the Status of Coverage? FortiGuard Labs provides the following IPS signature for CVE-2021-40539:Zoho.ManageEngine.ADSelfService.Plus.Authentication.BypassAny Mitigation and or Workarounds?It is strongly recommended to update to ADSelfService Plus build 6114. This update is located on the vendor homepage “ADSelfService Plus 6114 Security Fix Release” within the APPENDIX. It is also highly suggested to keep all affected devices from being publicly accessible or being placed behind a physical security appliance/firewall, such as a FortiGate. For further mitigation and workarounds, please refer to the US-CERT Alert and the Zoho Advisory in the APPENDIX.
More Stories
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Posted by Thomas Weber | CyberDanube via Fulldisclosure on Dec 21 CyberDanube Security Research 20241219-0 ------------------------------------------------------------------------------- title| Authenticated Remote Code...
USN-7179-1: Linux kernel vulnerabilities
Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote...
USN-7173-2: Linux kernel vulnerabilities
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to...
swiftlint-0.57.1-1.fc42
FEDORA-2024-87d30b4fbf Packages in this update: swiftlint-0.57.1-1.fc42 Update description: Automatic update for swiftlint-0.57.1-1.fc42. Changelog * Fri Dec 20 2024 Davide Cavalca...
USN-7166-3: Linux kernel (HWE) vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...
USN-7159-4: Linux kernel (IoT) vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...