Research & Development
$ #

CVE-2021-37423

Linked applications account takeover via fake password sync agent

8.2 (High)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

ManageEngine ADSelfService Plus

< 6200

Krzysztof Andrusiak and Marcin Ogorzelski

It is possible to modify any user's password in linked applications by introducing "fake password sync agent". Concept of this attack is presented below:
- at first, an attacker removes real sync agent from ADSSP database (it can be done remotely by unauthenticated user)
- then an attacker waits for "victim" user to modify their password in Active Directory - domain controller's password sync agent will attempt to synchronize passwords, but it will be rejected by ADSSP (due to fact that agent was removed from database)
- in the end an attacker will register their own password sync agent in ADSSP and send the request to modify "victim" user password to the one of their choice

This attack requires user's interaction (password change in Active Directory), which in most cases is forced from time to time.

  • 07-05-2021 - Vulnerability reported to vendor
  • 07-05-2021 - First response from vendor
  • 24-05-2022 - Fixed version release
  • 04-10-2023 - Public disclosure