This is a security advisory regarding a possible authentication bypass vulnerability in ServiceDesk Plus, which has been identified and rectified. On-premises users of ServiceDesk Plus version 10511 to 11133 who have enabled SAML authentication are affected by this vulnerability and advised to update to the latest version (11134) immediately.
Impact: This vulnerability might be exploited to log in to a ServiceDesk Plus installation with administrative privileges to access information or change service desk configurations, both of which can be used to provide unauthorized access to user data or aid subsequent attacks. To do so, an attacker would need to carry out two steps. First, they would need to enter the credentials of any service desk user’s account. Then they would need to alter the parameter ‘username’ to another username with administrative privileges after SAML validation. This would require the attacker to know three pieces of information: the user credentials of any service desk account, the username of an administrator account, and the domain details.
What led to the vulnerability?
The security check process used by ServiceDesk Plus to authenticate the username and the user domain post SAML validation had a vulnerability that made it possible to change the parameter ‘username’ post SAML validation.
This vulnerability could be exploited to log in to a ServiceDesk Plus installation as an administrator.
Who is affected?
This vulnerability affects customers of any edition of ServiceDesk Plus (on-premises) using version 10511 to 11133 who have SAML authentication enabled.
How have we fixed it?
This particular vulnerability has been addressed in ServiceDesk Plus 11134 by fixing the security check mechanism such that authentication occurs with the username and domain details stored securely rather than from direct incoming parameters that can be tampered with easily.
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus web client. Select the About option from the drop-down to see your current version. If your current version is between 10511 and 11133 and you are using SAML authentication, you might be affected.
What customers should do
ServiceDesk Plus versions 11100 to 11133
Download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (11134).
ServiceDesk Plus versions 10511 to 11010
Please follow this forum post for further updates. Alternatively, you can upgrade to the latest version (11134) using the appropriate migration path here: https://www.manageengine.com/products/service-desk/on-premises/service-packs.html
Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you’ll have this copy as a backup, which will keep all your settings intact. If you’re using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
Other recent articles in the same category
2 June 2020
15 February 2018
You may be interested in these other recent articles
ManageEngine positioned in the Gartner® Magic Quadrant™ for ITSM Tools for the second consecutive year
8 September 2021 | Nigel Arnold
The 2021 Gartner® Magic Quadrant™ for IT Service Management Tools is out, and ManageEngine has been included in this year’s report. This is the second…Read more