CVE-2021-37423

Name

Linked applications account takeover via fake password sync agent

CVSS score

8.2 (High)

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6200

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

It is possible to modify any user's password in linked applications by introducing "fake password sync agent". Concept of this attack is presented below:
- at first, an attacker removes real sync agent from ADSSP database (it can be done remotely by unauthenticated user)
- then an attacker waits for "victim" user to modify their password in Active Directory - domain controller's password sync agent will attempt to synchronize passwords, but it will be rejected by ADSSP (due to fact that agent was removed from database)
- in the end an attacker will register their own password sync agent in ADSSP and send the request to modify "victim" user password to the one of their choice

This attack requires user's interaction (password change in Active Directory), which in most cases is forced from time to time.

Timeline

07-05-2021 - Vulnerability reported to vendor
07-05-2021 - First response from vendor
24-05-2022 - Fixed version release
04-10-2023 - Public disclosure

References

https://www.manageengine.com/products/self-service-password/release-notes.html#6200
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-latest-build-6200-released
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-37423