[Security advisory] Authentication bypass vulnerability in Active Directory/LDAP authentication

[Security advisory] Authentication bypass vulnerability in Active Directory/LDAP authentication

This security advisory addresses the authentication bypass vulnerability in ServiceDesk Plus MSP due to value override in required entries for LDAP authentication. This vulnerability affects customers using versions 10600 to 10610 and 13000 to 13003 of ServiceDesk Plus MSP, and we strongly urge all customers to upgrade to the latest version of ServiceDesk Plus MSP immediately.

Severity: Critical

Impact

Unauthenticated access to the ServiceDesk Plus MSP application for affected users' credentials

 

What lead to the vulnerability?

When user details are imported from an Active Directory/LDAP server into the ServiceDesk Plus MSP application and are then modified, either manually or through API, a certain critical user field for LDAP authentication is over ridden with unexpected values. This creates a vulnerability that allows an adversary to log in to the application using any random input as the password.

 

This vulnerability is applicable only when: 

  • LDAP authentication is enabled.

  • Anonymous binding is enabled in the LDAP server.

Who is affected?

This vulnerability affects ServiceDesk Plus MSP customers using versions 10600 to 10610 and 13000 to 13003.

 

How was the issue fixed?

We have ensured that all critical user fields are preserved and proper validation is done before sending an authentication request to the LDAP server.

 

How to find out if you are affected

Click the Help button in the top-right corner of the ServiceDesk Plus MSP web client and select About from the drop-down to see your current version. Your installation is vulnerable if your current version is between 10600 to 10610 and 13000 to 13003.

 

What customers should do

Workaround

Customers can disable LDAP authentication in ServiceDesk Plus MSP or disable anonymous binding in the LDAP server.

Solution

Customers using versions 13000 to 13003 can upgrade to the latest version (13004) and customers using versions 10600 to 10610 can upgrade to 10611 using the appropriate migration path listed here.

 

Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll free at +1.888.720.9500.

 

Important note: As always, make a copy of your entire ServiceDesk Plus MSP installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all of your settings intact. If you are using Microsoft SQL Server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

 

We offer our sincerest apologies for any inconvenience this vulnerability may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com.

 

Best,

Umashankar

ManageEngine ServiceDesk Plus MSP

                  New to ADSelfService Plus?