Zoho has released a security patch to address an authentication bypass vulnerability, tracked as CVE-2021-40539, in its Manage Engine AD Self-Service Plus. The vulnerability is already exploited in attacks in the wild. The vulnerability resides in the REST API URLs in AD Self-Service Plus and could lead to remote code execution (RCE).

The Zoho Manage Engine AD Self-Service Plus is a self-service password management and single sign-on (SSO) solution for AD and cloud apps, attacker can able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD.

We have addressed an authentication bypass vulnerability affecting the REST API URLs in AD Self-Service Plus. This article provides more information on the issue and how to resolve it. This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE.

zoho statement

The flaw affects AD Self-Service Plus 6113 release and prior, the flaw was addressed with the release of build 6114 or later. To determine if an install is vulnerable, it is possible to check the presence of the following string in the access log entries available in the \ManageEngine\ADSelfService Plus\logs folder:

/RestAPI/LogonCustomization

/RestAPI/Connection

Zoho also said that users will find the following files in the ADSelfService Plus installation folder if running a vulnerable version:

cer in \ManageEngine\ADSelfService Plus\bin folder.

jsp in \ManageEngine\ADSelfService Plus\help\admin-guide\Reports folder.

This isn’t Zoho’s first zero-day rodeo. In March 2020, researchers disclosed a zero-day vulnerability in Zoho’s Manage Engine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones and more from a central location. The critical bug ((CVE-2020-10189, with a CVSS score of 9.8) allowed an unauthenticated, remote attacker to gain complete control over affected systems .