[Security advisory for CVE-2021-44675] Authentication bypass vulnerability in ServiceDesk Plus MSP that could lead to remote code execution till 10532

[Security advisory for CVE-2021-44675] Authentication bypass vulnerability in ServiceDesk Plus MSP that could lead to remote code execution till 10532

Hi there,

 

This security advisory addresses an authentication bypass vulnerability that affects ServiceDesk Plus MSP versions up to 10532.

 

Please note that we are noticing exploits of this authentication bypass vulnerability, and we strongly urge all customers using ServiceDesk Plus MSP (all editions) with versions up to 10532 to update to the latest version immediately.

 

Severity: Critical

 

Impact:

This vulnerability can allow an adversary to execute arbitrary code and conduct any subsequent attacks.

 

What led to the vulnerability?

One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated URL to be accessed without proper authentication.

 

Who is affected?

This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions up to 10532.

 

How have we fixed it?

We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.

  

How to find out if you are affected

Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version is 10532 and below, you might be affected.


What customers should do

Customers who fit the above criteria can upgrade to the latest version 10.5 - Build 10534 using the appropriate migration path.

 

Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.

 

Important note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

 

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com.