An authentication bypass vulnerability affecting the REST API URLs in ManageEngine ADManager Plus has been addressed recently. This article explains the vulnerability and the steps to fix it. 

What is the issue?

An authentication bypass vulnerability that affects REST API URLs in ADManager Plus.

Whom does it affect?

Customers using ADManager Plus builds 7111 and earlier are affected. 

What is the severity level of this vulnerability?

This is a critical vulnerability.

How do I identify if my installation has been affected?

ManageEngine has developed a tool to check if an ADManager Plus installation has been affected by this vulnerability. Follow the below steps to install and run the tool to check your instance.

• Download the ZIP file from here and extract its content to <ADManager Plus installation directory>\bin folder.
• Right-click on the Scan.bat file, and select 'Run as administrator'.
• If there is a possibility of an exploit, a command prompt window will open and display the following message: 

"There is a possibility that your ADManager Plus server setup has been exploited. Please upload your logs at https://bonitas2.zohocorp.com and reach out to our Support team support@admanagerplus.comimmediately."

Alternatively, you can check for specific log entries manually by following these steps:

In \ManageEngine\ADManager Plus\logs folder, search the access log entries for the below strings:

/../RestAPI/
/..;/RestAPI/
///RestAPI/
/./RestAPI

The image below shows the access log entry:

There is a possibility that your ADManager Plus server setup has been exploited if you find any of the above entries in the logs.

What if I find that my installation is compromised?

If you find that your ADManager Plus installation is compromised, follow these steps:

• Isolate the machine in which ADManager Plus is installed.
• Backup the ADManager Plus database. Download and install ADManager Plus on a different machine and then restore the DB backup. For step-by-step information on how to do this, refer to 'Method 2' in this page.
• Once the server is functional, upgrade the product to build 7112 or later versions using the service pack from here.
• Check for any unauthorized access or usage of your employees' accounts. Also, check for any evidences of lateral movement from the compromised machine to other machines in your environment. If there are any indications of compromised Active Directory accounts, reset the passwords of those accounts.

What should I do if my installation is unaffected?

We strongly recommend that you upgrade to the latest build even if your instance is unaffected. Download the service pack from here and the complete build from here.

If you need any additional information, face any issues in performing the recommended steps, or need any help in upgrading your instance to the latest build, please write to us at support@admanagerplus.com. You can also call us at +1-844-245-1108 (toll-free).