CVE-2021-37421

Name

Admin portal access restriction bypass via X-Forwarded-For header

CVSS score

5.3 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6104

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

ADSelfService Plus allows administrators to restrict Admin portal access based on IP address. An attacker can bypass this security mechanism using "X-Forwarded-For" header set to whitelisted IP address.

Proof-of-concept

Enable "Allow/Restrict Admin portal access based on IP Addresses" in ADSSP's Logon Settings. Set "Restricted IP Addresses" to IP of a machine which will be used in next steps.
Go to /adminLogin.cc - message "You don't have permission to access this page !" should be returned.
Using intercepting proxy add X-Forwarded-For: 127.0.0.1 header to all requests.
Go to /adminLogin.cc again - this time user can log in as administrator, bypassing IP address restriction.

Timeline

17-03-2021 - Vulnerability reported to vendor
18-03-2021 - First response from vendor
08-05-2021 - Fixed version release
30-08-2021 - Public disclosure
21-02-2022 - PoC release

References

https://www.manageengine.com/products/self-service-password/release-notes.html
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-37421