[Security advisory] Authentication bypass vulnerability in AssetExplorer build 6503 to 6723

Dear users,

This is a security advisory regarding a possible authentication bypass vulnerability in AssetExplorer, which has been identified and rectified. Users of AssetExplorer version 6503 to 6723 who have enabled SAML authentication are affected by this vulnerability and advised to update to the latest version (6724) immediately.

Severity: High

Impact: This vulnerability might be exploited to log in to an AssetExplorer installation with administrative privileges to access information or change the tool configurations, both of which can be used to provide unauthorized access to user data or aid subsequent attacks. To do so, an attacker would need to carry out two steps. First, they would need to enter the credentials of any user’s account. Then they would need to alter the parameter 'username' to another username with administrative privileges after SAML validation. This would require the attacker to know three pieces of information: the credentials of any user account, the username of an administrator account, and the domain details.

What led to the vulnerability?

The security check process used by AssetExplorer to authenticate the username and the user domain post SAML validation had a vulnerability that made it possible to change the parameter 'username' post SAML validation.

This vulnerability could be exploited to log in to an AssetExplorer installation as an administrator.

Who is affected?

This vulnerability affects customers of any edition of AssetExplorer between version 6503 and 6723 who have SAML authentication enabled.

How have we fixed it?

This particular vulnerability has been addressed in AssetExplorer 6724 by fixing the security check mechanism such that authentication occurs with the username and domain details stored securely rather than from direct incoming parameters that can be tampered with easily.

How to find out if you are affected?

Click the Help link in the top-right corner of the AssetExplorer web client. Select the About option from the drop-down to see your current version. If your current version is between 6503 to 6723 and you are using SAML authentication, you might be affected.

What customers should do?

Download the upgrade pack from https://www.manageengine.com/products/asset-explorer/service-packs.html and immediately upgrade to version 6724 or above. Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Important note: As always, make a copy of the entire AssetExplorer installation folder before initiating the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MSSQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.