Hi there,

The security advisory addresses an authentication bypass vulnerability identified in the product, ManageEngine PAM360 versions up to 5302 [CVE-2021-44525]. Given the severity of this vulnerability, we strongly urge all customers using PAM360 (all editions) with versions up to 5302 to upgrade to the latest version immediately.

Vulnerability information

CVE-2021-44525 affects customers of the all editions of ManageEngine PAM360. This vulnerability can allow adversaries to gain unauthorized access to the application and invoke actions, through a few specific application URLs.

Severity: High

Impact:

An adversary can exploit this vulnerability by manipulating the request URLs that allow them to perform administrative actions in the product. Major actions include:

• Deleting an organisation

• Updating privacy settings

• Configuring authentication options

• Managing query report categories

• Configuring emergency measures

This vulnerability does not expose any of the privileged account information, credentials and passwords stored in the password vault of the product.

What led to the vulnerability?

One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.

Who is affected?

This vulnerability affects ManageEngine PAM360 customers using versions up to 5302 in all editions.

How have we fixed it?

We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.

How to find if your current version is vulnerable?

Click the My Profile icon in the top-right corner of the PAM360 web client, and select About from the drop-down to see your current version. If your current version (all editions) is 5302 and below, your installation is vulnerable.

Please follow our forum post for any further updates regarding this vulnerability.

What customers should do

The PAM360 build 5303, released on 04/12/2021, holds the recommended mitigation targeting the vulnerability. We have fixed the authentication bypass vulnerability by adding proper authentication checks at the vulnerable end-point URLs. We recommend users in build 5302 or earlier upgrade to PAM360 build 5303.

The upgrade pack can be downloaded here: https://www.manageengine.com/privileged-access-management/minor-upgrades.html

Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to us at pam360-support@manageengine.com, or call us at +1 408 454 4014.

Important note: We strongly recommend you take a backup of your entire PAM360 installation folder before the upgrade, and keep the copy in a separate location. This helps you prevent any accidental loss of data, and will keep all your settings intact. If you're using an MS SQL server as the back-end database, back up the PAM360 database as well before upgrading.Once the upgrade is successfully completed, remember to delete the backup.

We express our sincerest apologies for any inconvenience this might have caused. If you have any questions or concerns, please reach out to us at pam360-support@manageengine.com.