OpUtils - Security advisory regarding CVE-2020-11946

OpUtils - Security advisory regarding CVE-2020-11946

This is an announcement regarding a security advisory addressing an unauthenticated servlet call vulnerability fixed in the latest version of OpUtils v12.4.196. PLEASE READ THROUGH THIS POST COMPLETELY to check whether your installation has been affected or not, and if affected, learn how you can resolve it.

 

Issue and description: 

 

Unauthenticated API key disclosure - There was an unauthenticated access method to obtain the API key that was discovered in the product. This could be exploited by the perpetrator to add an admin user using an API call and carry out admin-level operations.This is a critical security vulnerability. (Refer: CVE-2020-11946)

 

Who has been affected?

 

Any OpUtils installation with build number between 12.3.xxx and 12.4.195 (for product versions v12.3 and v12.4), and build number between 12.5.001 and 12.5.119 (for product version v12.5) could be exploited using this vulnerability.

 

How did the security team at ManageEngine resolve this vulnerability?

 

This issue was reported to us by @kuncho, an independent security researcher on April 12. As soon as we were informed of this, suitable authentication measures were added for the API call, and the latest OpUtils version with the fix, i.e. v12.4.196 was released for all products on April 22, 2020.

 

 

How can I identify if my installation has been compromised?

 

    1. Check if there are any new OpUtils user accounts in the product that look suspicious, by navigating to Settings > General Settings > User management. If there are any, delete that new user profile immediately and contact our support team.

    2. Also, you can check the access logs for any unauthenticated requests. Under the "logs" folder in the product installation directory, open access_log.txt and check if any of the following API calls have been made from any external IPs i.e. without the suffix "- localhost" next to the address: 

        i. sendData - used to expose the API key to the attacker

        ii. addUser - possible add user action performed using the obtained key

        iii. testNProfile - possible RCE performed on some/all devices in the network

 

If any of these are noticed in your setup, IMMEDIATELY SHUT DOWN THE INSTALLATION, and contact our support team.

 

What can I do to fix this vulnerability?

 

If you're on any of OpUtils builds till 12.4.195, it is advised to upgrade to OpUtils v12.4.196 right away from the service pack page of OpUtils.

 

For users of OpUtils version 12.5, it is advisable to upgrade to build 12.5.120 using the link below for each product: Download OpUtils 12.5.120

 
You can also directly contact our security team for assistance with the upgrade at itom-upgrades@manageengine.com.

              New to ADManager Plus?

                New to ADSelfService Plus?