ManageEngine have released details on an unauthenticated servlet call vulnerability that affects the following products:

  • OpManager
  • OpManager Plus
  • Network Configuration Manager
  • NetFlow Analyzer
  • Firewall Analyzer
  • OpUtils

The issue has been fixed in the latest version of all applications.

Please read through this information carefully to check whether your installation has been affected or not, and if affected, learn how you can resolve it.

Unauthenticated API Key Disclosure

There was an unauthenticated access method to obtain the API key that was discovered in the product. This could be exploited by the perpetrator adding an admin user using an API call, and carrying out admin-level operations.

This is a critical security vulnerability. (Refer: CVE-2020-11946)

Which build numbers are affected?

  • OpManager
    • Build numbers between 12.3.xxx and 12.4.195 (for OpManager v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for OpManager v12.5).
  • OpManager Plus
    • Build numbers between 12.3.xxx and 12.4.195 (for OpManager Plus v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for OpManager Plus v12.5).
  • Network Configuration Manager
    • Build numbers between 12.3.xxx and 12.4.195 (for NCM v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for NCM v12.5).
  • NetFlow Analyzer
    • Build numbers between 12.3.xxx and 12.4.195 (for NFA v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for NFA v12.5).
  • Firewall Analyzer
    • Build numbers between 12.3.xxx and 12.4.195 (for FWA v12.3 and v12.4).
    • Build number between 12.5.001 and 12.5.119 (for FWA v12.5).
  • OpUtils
    • Build numbers between 12.3.xxx and 12.4.195 (for OpUtils v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for OpUtils v12.5).

If you’re not sure what build number you’re running, you can find it easily by following these steps:

  1. In the web client, click on the Profile icon on the top-right corner of the screen.
  2. Under the “About” tab, you can find the version in the ‘Build Number’ field.

How did the security team at ManageEngine resolve this vulnerability?

This issue was reported to us by @kuncho, an independent security researcher on April 12. As soon as we were informed of this, suitable authentication measures were added for the API call, and the latest version of the product with the fix, i.e. OpManager v12.4.196 was released on April 22, 2020.

How can I check if my installation has been compromised?

  1. Check if there are any new user accounts that look suspicious, by navigating to Settings > General Settings > User management. If there are any, verify that it was not created by other administrator users (if any), and delete that new user profile immediately.
  1. Also, you can check the access logs for any unauthenticated sendData requests. Under the “logs” folder in the installation directory, open access_log.txt and check if any of the following API calls have been made from any external IPs i.e. without the suffix “- localhost” next to the address: 
    1. sendData – used to expose the API key to the attacker
    2. addUser – possible add user action performed using the obtained key
    3. testNProfile – possible RCE performed on some/all devices in the network

If any of these are noticed in your setup, IMMEDIATELY SHUT DOWN THE INSTALLATION, and contact the ManageEngine support team.

What can I do to fix this vulnerability?

Ensure you update your installation to the latest version as soon as possible.

Important note: before updating ensure you take all possible forms of backup to prevent data loss.

You can find the relevant links below:

You can contact Set3 Solutions here for expert help with your update.

Alternatively, you can also directly contact the ManageEngine security team for assistance with the upgrade at itom-upgrades@manageengine.com or raise a support request.

IT SecurityManageEngineNews

You may be interested in these other recent articles

26 May

ServiceDesk Plus MSP – Build Releases 2020

26 May 2020 | Nigel Arnold


ServiceDesk Plus MSP Build Releases 2020

Read more
26 May

AD360 Build Releases – 2020

26 May 2020 | Nigel Arnold


AD360 Build Releases 2020

Read more
25 May

ADAudit Plus Build Releases – 2020

25 May 2020 | Nigel Arnold


ADAudit Plus Build Releases 2020

Read more