Australia Warns of Critical Vulnerability in Zoho ServiceACSC: Vulnerability in Password Management Platform Had RCE Capability
The Australian Cyber Security Center, or ACSC, has issued a critical vulnerability alert in a Zoho Corp. password management service that could enable a threat actor to take control of the targeted host.
See Also: Zero Trust: 3 Critical Considerations
The vulnerability in ADSelfService Plus, an integrated password management and sign-on solution for Active Directory and cloud apps, was discovered on Sept. 7, according to the ACSC. The ADSelfService Plus product is run by Zoho's IT management division, ManageEngine.
The company has released a patch, notified its customers about the critical vulnerability, and advised them to update the software to the latest version - build 6114, a ManageEngine spokesperson tells Information Security Media Group.
"We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required," the spokesperson adds.
Impact of the Vulnerability
ACSC's analysis of the vulnerability showed an "increased number of potentially vulnerable and exposed" ADSelfService Plus instances in a number of medium and large enterprises in Australia.
Although the advisory did not specify the scale of potential damage, a ManageEngine statement from 2019 says the company had over 4,000 Australian customers at the time.
The flaw, tracked under CVE-2021-40539, has been rated critical by the Common Vulnerability Scoring System. ManageEngine classified the flaw as an authentication bypass vulnerability that could allow a threat actor to carry out subsequent attacks, potentially leading to remote code execution.
According to Darshit Ashara, associate vice president of research at Indian threat intelligence firm CloudSEK, which assessed the vulnerability, it was caused by a "path normalization bug." This bug, he says, allows the attacker to modify a string through which a system identifies a path or a file and then makes it imitate a valid path on the target's system.
The implications of the vulnerability in the self-service password management tool, if exploited, are very serious, he says. "Once the attackers gain initial access to a corporate system, they can enable lateral movements in the internal network," he adds.
He also says a system infected with a ransomware is not confined to the organization alone, but spreads to all its customers and vendors on the supply chain.
Prior to ACSC's security warning, the ManageEngine vulnerability was red-flagged in a joint advisory issued by the Federal Bureau of Investigation, the U.S. Coast Guard Cyber Command and the Cybersecurity and Infrastructure Security Agency or CISA on Sept. 16. In the joint advisory, CISA says the vulnerability "poses serious risk" to critical infrastructure companies, defense contractors and academic institutions.
The threat actors exploiting the ManageEngine vulnerability frequently write web shells for initial persistence, the advisory shows. The vulnerability also allows them to decode files for information, dump user credentials, steal copies of the Active Directory database, and collect and archive files for exfiltration using Windows utilities, it says.
According to CISA, threat actors have targeted U.S. academic institutions, defense contractors and critical infrastructure in several sectors, including IT, transportation, manufacturing, communications and finance.
Detection and Mitigation
ManageEngine has developed a tool to help users identify whether they have been affected by the CVE-2021-40539 vulnerability.
The company recommends that users to download a ZIP file from the Vulnerability Scanner, right-click on the "RCEScan.bat" file and run it as an administrator.
If the system is affected, users will see a message saying: "Result: Your ADSelfService Plus installation is affected by authentication bypass vulnerability."
Users can also check for intrusion on the access log files of the ADSelfService Plus software and for strings with an entry that contains "/../RestAPI."
If the installation is affected, ManageEngine recommends that users disconnect the infected system from the corporate network, back up the ADSelfService Plus database and then format the compromised system.
Users can then download the updated version of ADSelfService Plus, restore the backup, and then update the installation to latest build 6114.
Following this, users can check for unauthorized access and for signs of lateral movement. If there are signs of compromised Active Directory accounts, ManageEngine recommends initiating a password reset.