How can we help?
Researchers have discovered a critical vulnerability in Zoho’s cloud-based ADSelfService Plus password management and single sign-on (SSO) solution.
The flaw could be exploited by remote, unauthenticated, attackers to gain privileged access to an organisation’s infrastructure.
This vulnerability could allow an unauthenticated attacker privileged access to an organisation’s cloud and on-prem environments.
ADSelfService Plus builds up to and includes 6113.
Containment, Mitigations & Remediations
Zoho ManageEngine has provided an update (build 6114) which it is hoped remediates the vulnerability.
They have also provided tools for detecting the exploit of the vulnerability.
Zoho ManageEngine recommends that the AD SelfService server perform the following actions:
• Run the exploit detection tool.
• Check for specific log entries.
• Check for specific files in your system.
If you find that you are compromised Zoho ManageEngine recommends rebuilding the device from scratch with the updated version and checking for further signs of compromise and lateral movement.
This latter part is significantly easier said than done.
CISA, the FBI, and CGCYBER believe a Chinese state-sponsored actor uses a previously undisclosed vulnerability in a widely used OpenSSH version to run a remote code execution exploit to access systems.
Sectors currently targetted by this actor include:
- Education Industries
The threat actor took advantage of this flaw to gain access to specific organisations, to then work their way through the network and deploy additional tools to gather credentials, sensitive information and attain persistence.
A number of Zoho ManageEngine products have recently been found to have a number of critical vulnerabilities that have allowed the creation of privileged accounts which in so doing have also bypassed normal detection and alerting mechanisms for the creation of such accounts.
These vulnerabilities and their associated exploits are not limited to the threat actor or sectors described above.
Indicators of Compromise
Evidence of Local file/path traversal within log files of the webserver serving ADSelfService Plus
- In ManageEngine\ADSelfService Plus\logs\access_log_<date>.txt the presence of “/../RestAPI” or “/./RestAPI”
- In ManageEngine\ADSelfService Plus\logs\serverOut_<date>.txt the presence of “java.lang.ClassCastException: org.apache.catalina.connector.RequestFacade cannot be cast to com.adventnet.iam.security.SecurityRequestWrapper”
- In ManageEngine\ADSelfService Plus\logs\adslog_<date>.txt the presence of Java traceback errors referencing NullPointerException in addSmartCardConfig or getSmartCardConfig
- The presence of “service.cer” in \ManageEngine\ADSelfService Plus\bin\
- The presence of “adap.jsp” in \ManageEngine\ADSelfService Plus\webapps\adssp\help\html\promotion\
- The presence of “ReportGenerate.jsp” in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports\ or \ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports\
- The presence of “custom.bat” in C:\Users\Public\
- The presence of “custom.txt” in C:\Users\Public\