CVE-2021-37424

Name

Domain administrator takeover via machine account creation

CVSS score

9.0 (Critical)

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6112

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

It is possible to log in as Administrator (or any other user) to ADSSP by creating machine account named " Administrator" (with leading space) and then using it to log in to ADSSP. In such case user will be logged in as "Administrator" (without leading space). By modifying 2FA question answers user can change password of "Administrator" domain user, effectively leading to AD domain compromise. This attack can be done by any low-privileged AD user since by default any user can create up to 10 machine accounts in the domain.

Timeline

07-05-2021 - Vulnerability reported to vendor
07-05-2021 - First response from vendor
26-08-2021 - Fixed version release
04-10-2023 - Public disclosure

References

https://www.manageengine.com/products/self-service-password/release-notes.html#6112
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-37424