ManageEngine have released details on an unauthenticated servlet call vulnerability that affects the following products:

  • OpManager
  • OpManager Plus
  • Network Configuration Manager
  • NetFlow Analyzer
  • Firewall Analyzer
  • OpUtils

The issue has been fixed in the latest version of all applications.

Please read through this information carefully to check whether your installation has been affected or not, and if affected, learn how you can resolve it.

Unauthenticated API Key Disclosure

There was an unauthenticated access method to obtain the API key that was discovered in the product. This could be exploited by the perpetrator adding an admin user using an API call, and carrying out admin-level operations.

This is a critical security vulnerability. (Refer: CVE-2020-11946)

Which build numbers are affected?

  • OpManager
    • Build numbers between 12.3.xxx and 12.4.195 (for OpManager v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for OpManager v12.5).
  • OpManager Plus
    • Build numbers between 12.3.xxx and 12.4.195 (for OpManager Plus v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for OpManager Plus v12.5).
  • Network Configuration Manager
    • Build numbers between 12.3.xxx and 12.4.195 (for NCM v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for NCM v12.5).
  • NetFlow Analyzer
    • Build numbers between 12.3.xxx and 12.4.195 (for NFA v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for NFA v12.5).
  • Firewall Analyzer
    • Build numbers between 12.3.xxx and 12.4.195 (for FWA v12.3 and v12.4).
    • Build number between 12.5.001 and 12.5.119 (for FWA v12.5).
  • OpUtils
    • Build numbers between 12.3.xxx and 12.4.195 (for OpUtils v12.3 and v12.4).
    • Build numbers between 12.5.001 and 12.5.119 (for OpUtils v12.5).

If you’re not sure what build number you’re running, you can find it easily by following these steps:

  1. In the web client, click on the Profile icon on the top-right corner of the screen.
  2. Under the “About” tab, you can find the version in the ‘Build Number’ field.

How did the security team at ManageEngine resolve this vulnerability?

This issue was reported to us by @kuncho, an independent security researcher on April 12. As soon as we were informed of this, suitable authentication measures were added for the API call, and the latest version of the product with the fix, i.e. OpManager v12.4.196 was released on April 22, 2020.

How can I check if my installation has been compromised?

  1. Check if there are any new user accounts that look suspicious, by navigating to Settings > General Settings > User management. If there are any, verify that it was not created by other administrator users (if any), and delete that new user profile immediately.
  1. Also, you can check the access logs for any unauthenticated sendData requests. Under the “logs” folder in the installation directory, open access_log.txt and check if any of the following API calls have been made from any external IPs i.e. without the suffix “- localhost” next to the address: 
    1. sendData – used to expose the API key to the attacker
    2. addUser – possible add user action performed using the obtained key
    3. testNProfile – possible RCE performed on some/all devices in the network

If any of these are noticed in your setup, IMMEDIATELY SHUT DOWN THE INSTALLATION, and contact the ManageEngine support team.

What can I do to fix this vulnerability?

Ensure you update your installation to the latest version as soon as possible.

Important note: before updating ensure you take all possible forms of backup to prevent data loss.

You can find the relevant links below:

You can contact Set3 Solutions here for expert help with your update.

Alternatively, you can also directly contact the ManageEngine security team for assistance with the upgrade at itom-upgrades@manageengine.com or raise a support request.

IT SecurityManageEngineNews

You may be interested in these other recent articles

29 Jun

Gartner® Magic Quadrant™ Recognising ManageEngine for the 10th time!

29 June 2022 | Nazim Nadir


Gartner® Magic Quadrant™ is a great way to gain objective insights into application performance monitoring (APM) market and its vendors. ManageEngine Applications Manager and site24x7…

Read more
18 Feb

ManageEngine’s IAM and Cybersecurity On-Demand Events Hub

18 February 2022 | Joshua Ball


Watch webinars on demand and listen to podcasts at your convenience. ManageEngine has launched their IAM and Cybersecurity on-demand events hub, a one-stop shop for on-demand webinars and podcasts. At the on-demand events hub, you’ll find:   Carefully curated on-demand webinars from seven unique categories. Over 40 podcast episodes (and counting) on IAM and cybersecurity from three different podcast shows. ​ The webinars and podcasts are regularly updated, so watch this space to ensure you don’t miss out on the latest episodes!​​ Sign up today by clicking here. To find out more…

Read more
8 Sep

ManageEngine positioned in the Gartner® Magic Quadrant™ for ITSM Tools for the second consecutive year

8 September 2021 | Nigel Arnold


The 2021 Gartner® Magic Quadrant™ for IT Service Management Tools is out, and ManageEngine has been included in this year’s report. This is the second…

Read more