[Security advisory] Insufficient authentication and authorization handling vulnerability in Desktop Central

[Security advisory] Insufficient authentication and authorization handling vulnerability in Desktop Central

Hi there,

This is a security advisory regarding an insufficient authentication and authorization handling vulnerability (CVE-2021-37414) in ManageEngine Desktop Central, reported by an external security researcher via our bug bounty program

Who is affected?

This vulnerability affects customers of ServiceDesk Plus MSP (Professional and Enterprise editions) who have installed Desktop Central to leverage the unified agent for asset inventory.

Affected build numbers of Desktop Central:

Desktop Central installations with the following build numbers are affected:
10.1.2121.03 10.1.2121.02 10.1.2121.04 10.1.2127.01

Severity: High

What was the problem?
An endpoint was found with insufficient access control in the Desktop Central server, which when exploited could lead to an unauthorized user gaining access to the Desktop Central instance. 

How have we fixed the vulnerability?
The vulnerability has been identified and fixed in the latest build of Desktop Central. To apply the fix, follow the steps below:
Log in to your Desktop Central console and click your current build number in the top-right corner.
Find the latest build applicable to you. Download the PPM and update Desktop Central.

Note: This vulnerability is not applicable to the cloud editions of Desktop Central, Patch Manager Plus, and Remote Access Plus.

For further details, please contact support at support@servicedeskplusmsp.com.

Important note: As always, make a copy of the entire Desktop Central installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the Desktop Central database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com.

ManageEngine ServiceDesk Plus MSP team

                  New to ADSelfService Plus?