CVE-2021-28958

Name

Unauthenticated RCE in password change function

CVSS score

9.8 (Critical)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6102

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

In some cases user password change is done using PowerShell script. User credentials inserted into such script are not properly sanitized (improper sanitization of double quoutes), leading to PowerShell script injection and remote code execution.

Proof-of-concept

Download CVE-2021-28958.py and modify the following values in the script:
URL - ADSSP address
DOMAIN - Active Directory domain configured in ADSSP
CMD - command to be executed on the ADSSP server
Execute CVE-2021-28958.py script (using Python 3 interpreter).
Command defined in CMD variable will be executed on ADSSP server.

Timeline

17-03-2021 - Vulnerability reported to vendor
18-03-2021 - First response from vendor
23-03-2021 - First patch release
24-03-2021 - Security issues with first patch reported to vendor
24-03-2021 - Updated patch for retest received from vendor
30-03-2021 - Updated patch release
30-08-2021 - Public disclosure

References

https://www.manageengine.com/products/self-service-password/release-notes.html
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6102-released-with-an-important-security-fix-21-3-2021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-28958