Hi there,
This security advisory addresses two authentication bypass vulnerabilities that affect AssetExplorer versions up to 6952 (CVE-2021-44526) and AssetExplorer customers who use the Desktop Central agent for asset discovery (CVE-2021-44515).
Important note: If you are a customer of AssetExplorer who uses the Desktop Central agent for asset discovery, follow the steps outlined in the advisories for both CVE-2021-44526 and CVE-2021-44515.
If you are a customer of AssetExplorer who does not use the Desktop Central agent, please only follow the steps outlined in the advisory for CVE-2021-44526, explained in this email.
CVE-2021-44515 affects customers of AssetExplorer who use the Desktop Central agent for asset discovery, and can lead to a remote code execution attack. We strongly urge customers who use the Desktop Central agent to refer to this security advisory for more information and the steps to upgrade Desktop Central to the latest version.
CVE-2021-44526 affects customers using all editions of AssetExplorer versions 6952 and below, irrespective of whether they use the Desktop Central agent, and we strongly urge all customers to upgrade to the latest version of AssetExplorer immediately.
The rest of the advisory will be focused on CVE-2021-44526, an authentication bypass vulnerability in AssetExplorer versions up to 6952.
Severity: High
Impact:
This vulnerability can allow an adversary to bypass authentication and access the Asset Name and the Asset Field's Allowed Values configurations.
What led to the vulnerability?
One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.
Who is affected?
This vulnerability affects AssetExplorer customers of all editions using versions 6952 and below.
How have we fixed it?
We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.
How to find out if you are affected
Click the Help link in the top-right corner of the AssetExplorer web client, and select About from the drop-down to see your current version. If your current version is 6952 and below, you might be affected.
Please follow this forum post for any further updates regarding this vulnerability.
What customers should do
Download the upgrade pack from https://www.manageengine.com/products/asset-explorer/service-packs.html and immediately upgrade to the latest version (6953).
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.
Customers of AssetExplorer who use the Desktop Central agent for asset discovery can refer to this security advisory for information on upgrading Desktop Central.
Important note: As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.