Network Configuration Manager- Security advisory regarding CVE-2020-11946

Network Configuration Manager- Security advisory regarding CVE-2020-11946

This is an announcement regarding a security advisory addressing an unauthenticated servlet call vulnerability fixed in the latest version of Network Configuration Manager v12.4.196. PLEASE READ THROUGH THIS POST COMPLETELY to check whether your installation has been affected or not, and if affected, learn how you can resolve it.

 

Issue and description: 

 

Unauthenticated API key disclosure - There was an unauthenticated access method to obtain the API key that was discovered in the product. This could be exploited by the perpetrator to add an admin user using an API call and carry out admin-level operations.This is a critical security vulnerability. (Refer: CVE-2020-11946)

 

Who has been affected?

 

Any Network Configuration Manager installation with build number between 12.3.xxx and 12.4.195 (for product versions v12.3 and v12.4), and build number between 12.5.001 and 12.5.119 (for product version v12.5) could be exploited using this vulnerability.

 

How did the security team at ManageEngine resolve this vulnerability?

 

This issue was reported to us by @kuncho, an independent security researcher on April 12. As soon as we were informed of this, suitable authentication measures were added for the API call, and the latest Network Configuration Manager version with the fix, i.e. v12.4.196 was released for all products on April 22, 2020.

 

 

How can I identify if my installation has been compromised?

 

    1. Check if there are any new NCM user accounts in the product that look suspicious, by navigating to Settings > General Settings > User management. If there are any, delete that new user profile immediately and contact our support team.

    2. Also, you can check the access logs for any unauthenticated requests. Under the "logs" folder in the product installation directory, open access_log.txt and check if any of the following API calls have been made from any external IPs i.e. without the suffix "- localhost" next to the address: 

        i. sendData - used to expose the API key to the attacker

        ii. addUser - possible add user action performed using the obtained key

        iii. testNProfile - possible RCE performed on some/all devices in the network

 

If any of these are noticed in your setup, IMMEDIATELY SHUT DOWN THE INSTALLATION, and contact our support team.

 

What can I do to fix this vulnerability?

 

If you're on any of Network Configuration Manager builds till 12.4.195, it is advised to upgrade to Network Configuration Manager v12.4.196 right away from the service pack page of Network Configuration Manager.

 

For users of Network Configuration Manager version 12.5, it is advisable to upgrade to build 12.5.120 using the link below for each product: Download Network Configuration Manager 12.5.120

 

You can also directly contact our security team for assistance with the upgrade at itom-upgrades@manageengine.com.