Hi,

 

This is a security advisory for all Password Manager Pro customers, announcing a security issue that we've identified in version 10.0 build number 10000. The 10000 version upgrade pack was released on March 26th, 9 AM Eastern Standard Time. The issue was identified on March 28th, 6 AM Eastern Time and the upgrade pack was immediately pulled down from our website. Therefore, this security issue affects only a highly-selective subset of Password Manager Pro customers who performed an upgrade between March 26th to March 28th to reach version 10000. Those affected are advised to immediately disable the "Personal" section in Password Manager Pro by navigating to Admin-->General Settings-->Personal Passwords-->Allow users to manage their personal passwords.

 

Issue: Exposure of personal passwords to all users using the built-in PMP Encryption option along with the usage of Custom Categories.

 

Severity: High

 

Affected customers: Customers who performed an upgrade between March 26th to 28th to reach version 10000, with all the below conditions being met.

 

• Customers using version 10000 by performing an upgrade between March 26th to March 28th.

• Customers using the "Personal Section" of Password Manager Pro.

• Users using PMP Encryption key option for managing "Personal passwords", rather than choosing their own Encryption Key.

• Users who have created Custom Categories in their own "Personal Passwords" section in the Vault.

 

Issue Description: This issue only affects the "Personal" tab in Password Manager Pro. All users are allowed to choose between PMP's own encryption key or use their own encryption key phrase for storing information in their "Personal" tab section. The affected upgrade pack impacts only the users who did not choose their own Encryption key and who have created Custom Categories. The affected upgrade pack was designed to update the Unique ID value of Custom Categories created by all users in the product database. Due to a query mismatch, the Custom Category records of all users got listed into the view of any user using Custom Category. Since these users opted to use the same PMP Encryption key for the stored data, the information was visible to all users using Custom Category.   

 

Difficulty: While the chances of your installation being affected is very minimal, there is still a marginal possibility that Personal information stored by one of your users might be visible to other users using the "Personal" section of Password Manager Pro with Custom Categories created.

 

How to find out if you're affected: Are you using 10000 version of PMP and was the upgrade performed between March 26th to March 28th? If so, please check the MD5 checksum of your Upgrade pack (.ppm file) with the information listed below.

 

Affected upgrade pack file name: ManageEngine_PasswordManager_Pro_9900_9901_to_10000.ppm

Affected PPM file MD5SUM: 33136311a4c41db2aeec07d310b1e401

 

How to address the issue: If you are one of the customers who downloaded and applied the upgrade pack between March 26th to 28th, please login to Password Manager Pro as an administrative user. Navigate to Admin-->General Settings-->Personal Passwords section and disable the option "Allow users to manage their personal passwords". This will disable the "Personal" section for all users. You can then contact our support team at passwordmanagerpro-support@manageengine.com or call us at +1 408 454 4014. Our support team would be glad to provide you the link to download the fixed patch file.

 

All other customers can continue to download and apply the upgrade packs from here as it already contains the fixed upgrade pack file.

 

Fixed upgrade pack file name: ManageEngine_PasswordManager_Pro_9900_9901_to_10000.ppm

Fixed PPM file MD5SUM: 995ea3da05c518503deecd8fb7be93d3