State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Vulnerability in Zoho ManageEngine ADSelfService

NJCCIC Advisory

Original Release Date: 8/12/2020

Summary

A vulnerability has been discovered in Zoho ManageEngine ADSelfService Plus, which could allow for remote code execution. ManageEngine ADSelfService Plus is an integrated Active Directory self-service password management and single sign on solution by ZOHO Corporation. Successful exploitation of this vulnerability may allow an unauthenticated attacker to remotely execute commands with system level privileges on target windows host. An attacker can exploit this issue to execute arbitrary code in the context of the affected system. Failed exploit attempts may result in a denial-of-service condition.

Threat Intelligence

A proof of concept for this vulnerability has been made available on YouTube.

System Affected

  • Zoho ManageEngine ADSelfService Plus prior to 6.0 Build 6003 are vulnerable

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium government entities: High
    Small government entities: High

Home Users: Low

Technical Summary

This vulnerability exists within the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.

Recommendations

We recommend the following actions be taken:

  • Apply the stable channel update provided by ZOHO Corporation to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

References

Patch Update

CVE

Disclosure

Proof of Concept Video via YouTube

Reporting

We encourage recipients who discover signs of malicious cyber activity to contact us via the cyber incident report form by clicking here.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.