How to remediate – ManageEngine ADSelfService Plus Detection

1. Introduction

ManageEngine ADSelfService Plus is a help desk management application used for self-service password resets and account administration. A vulnerable instance could allow an attacker to gain access to sensitive information or compromise user accounts. This affects businesses using the software for IT support, particularly those with web-facing deployments. Impact on confidentiality, integrity, and availability is likely if exploited successfully.

2. Technical Explanation

ManageEngine ADSelfService Plus uses Java and is susceptible to remote code execution vulnerabilities due to insecure deserialization or other flaws in its handling of user input. An attacker could send a crafted request to the application, leading to arbitrary code execution on the server. Exploitation requires network access to the web service port.

• Root cause: Insecure deserialization of untrusted data.
• Exploit mechanism: An attacker sends a malicious payload via HTTP requests that exploits flaws in Java’s object serialization process, allowing them to execute arbitrary code on the server.
• Scope: ManageEngine ADSelfService Plus versions prior to the latest patched release are affected.

3. Detection and Assessment

Confirming a vulnerable instance involves checking the application version and looking for telltale signs of exposure.

• Quick checks: Access the web interface and check the “About” page to determine the installed version.
• Scanning: Nessus plugin ID 165378 can detect vulnerable versions. This is an example only, other scanners may also provide detection capabilities.
• Logs and evidence: Review application logs for error messages related to deserialization or unexpected exceptions. Log files are typically located in the <ADSelfService Plus installation directory>/logs folder.

# Example command placeholder:
# No specific command available, check web interface version.

4. Solution / Remediation Steps

Apply the latest patch or upgrade to a secure version of ManageEngine ADSelfService Plus.

4.1 Preparation

• Ensure you have downloaded the latest patch from the official ManageEngine website. A roll back plan involves restoring the backed-up installation directory and database if issues occur.
• A change window may be required depending on your environment. Approval from IT management is recommended.

4.2 Implementation

1. Step 1: Download the latest patch file from https://www.manageengine.com/products/self-service-password/
2. Step 2: Stop the ADSelfService Plus service using the Windows Services manager or equivalent Linux command.
3. Step 3: Replace the existing application files with the patched version.
4. Step 4: Restart the ADSelfService Plus service.

4.3 Config or Code Example

Before

# No specific configuration change is required, upgrade application files only.

After

# Verify updated version in web interface "About" page after restart.

4.4 Security Practices Relevant to This Vulnerability

Practices that directly address this vulnerability type include least privilege and patch cadence.

• Practice 1: Least privilege – limit the permissions of the ADSelfService Plus service account to reduce the impact if exploited.
• Practice 2: Patch cadence – implement a regular patching schedule for all software, including third-party applications like ManageEngine ADSelfService Plus.

4.5 Automation (Optional)

# No automation script provided as it requires specific environment configurations.

5. Verification / Validation

Confirming the fix involves checking the updated version number and performing a basic service smoke test.

• Post-fix check: Access the web interface and verify that the version number has been updated to the latest patched release.
• Re-test: Re-run Nessus plugin ID 165378 or equivalent scanner to confirm the vulnerability is no longer detected.
• Smoke test: Verify users can still successfully reset their passwords through the web interface.
• Monitoring: Monitor application logs for any errors related to deserialization or unexpected exceptions.

# Post-fix command and expected output:
# Access web UI -> About page, version should be latest patch release.

6. Preventive Measures and Monitoring

Update security baselines and implement regular patching processes to prevent similar vulnerabilities in the future.

• Baselines: Update your security baseline or policy to require the latest patched version of ManageEngine ADSelfService Plus.
• Asset and patch process: Implement a regular patch review cycle for all third-party applications, including ManageEngine ADSelfService Plus.

7. Risks, Side Effects, and Roll Back

Applying the patch may cause temporary service interruption. Ensure you have a roll back plan in place.

• Risk or side effect 1: Temporary service downtime during patching. Mitigation: Schedule patching during off-peak hours.

8. References and Resources

• Vendor advisory or bulletin: https://www.manageengine.com/products/self-service-password/
• NVD or CVE entry: No specific CVE available at time of writing, check NVD database for updates.
• Product or platform documentation relevant to the fix: https://www.manageengine.com/products/self-service-password/help/adssplus-upgrade-procedure.html