Security advisory regarding unauthenticated product integration vulnerability (CVE-2020-24786)

Security advisory regarding unauthenticated product integration vulnerability (CVE-2020-24786)

Hi,

 

We have fixed a critical security issue with the latest version of DataSecurity Plus, build 6033 (Reporter Name - Florian Hauser) . Kindly read the post fully to know more about the issue and how to resolve it.

 

What is the issue?

DataSecurity Plus had a vulnerable endpoint that allowed users to integrate their installation with other ManageEngine product installations, bypassing authentication. This could potentially lead to a data leak.

 

Who are all affected?

All users of DataSecurity Plus between versions 6003 to 6032.

 

What is the severity level of the issue?

This is a critical issue. As this vulnerability can be exploited, without authentication, from any publicly exposed installation of DataSecurity Plus, the risk associated with it is high.

 

How can I check if my installation has been compromised?

Steps to check if your installation has been compromised:

Login to the DataSecurity Plus console, and:

1. In case you have integrated DataSecurity Plus with Log360 or any other ManageEngine products, do check if their configuration settings are the same and have not been modified.

2. Verify that the Email Server settings (Admin > Email settings) is the same and has not been changed.

3. In Domain Settings, check if new, additional, or illegitimate domains have been configured.

 

What should I do if my instance is compromised?

If your DataSecurity Plus instance has been compromised, do upgrade to build 6033 immediately.

Steps to upgrade DataSecurtiy Plus to the latest version.

  • Shut down the product.

  • Restore from a previous backup, to undo unnecessary or unauthorized changes.

  • Update DataSecurity Plus to the latest build, 6033, using the service pack from this page.

  • Restart DataSecurity Plus.

 

If you are on any DataSecurity Plus build below 6033, it is advisable to upgrade immediately, even if your installation is not compromised.

If for any specific reasons you are unable to upgrade your installation immediately, follow the mitigation steps listed in this page.

 

For any queries or technical assistance to help with the product upgrade, feel free to mail our support team at support@datasecurityplus.com