1. Introduction
The ManageEngine Password Manager Pro Default Credentials vulnerability allows an attacker to gain access to a remote web server by using pre-defined login details. This is because the application ships with known default credentials that are often left unchanged. Successful exploitation could lead to complete compromise of sensitive data stored within the password manager, impacting confidentiality, integrity and availability.
2. Technical Explanation
The vulnerability stems from the use of hardcoded ‘admin’ and ‘guest’ credentials for accessing the web administration interface of ManageEngine Password Manager Pro. An attacker can directly attempt to log in using these default credentials without any authentication bypass mechanisms in place. This is a common misconfiguration that allows unauthorized access.
- Root cause: Use of default, known credentials on the web administration interface.
- Exploit mechanism: An attacker attempts to login to the Password Manager Pro web UI using the ‘admin’ or ‘guest’ username and password combination. If successful, they gain administrative access.
- Scope: ManageEngine Password Manager Pro versions prior to those with patched default credentials.
3. Detection and Assessment
You can confirm if a system is vulnerable by checking the application version and attempting login with default credentials. A thorough method involves reviewing configuration files for any customisation of these accounts.
- Quick checks: Access the Password Manager Pro web interface and check the ‘About’ section to identify the installed version.
- Scanning: Nessus plugin ID 139685 can detect this vulnerability, but results should be verified.
- Logs and evidence: Check application logs for successful logins using the ‘admin’ or ‘guest’ accounts.
# No command available to directly check default credentials from CLI. Accessing the web UI is required.4. Solution / Remediation Steps
The following steps provide a precise method for fixing this issue by changing the default login credentials.
4.1 Preparation
- No services need to be stopped, but it is recommended to perform these changes during off-peak hours. A roll back plan involves restoring the backed up configuration.
- Changes should be approved by the system administrator or security team.
4.2 Implementation
- Step 1: Log in to the Password Manager Pro web administration interface using the default credentials (‘admin’ / ‘guest’).
- Step 2: Navigate to ‘Admin’ > ‘Users’.
- Step 3: Change the password for both the ‘admin’ and ‘guest’ accounts to strong, unique passwords.
- Step 4: Log out of the web administration interface and verify access with the new credentials.
4.3 Config or Code Example
Before
# Default Credentials:
# Username: admin, Password: guest
After
# Updated Credentials (example):
# Username: administrator, Password: StrongPassword123!
# Username: service_account, Password: AnotherStrongPassword456@
4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of issue. Least privilege reduces the impact if an account is compromised. Safe defaults ensure systems are configured securely out-of-the-box. A regular patch cadence ensures known vulnerabilities are addressed quickly.
- Practice 1: Implement least privilege to limit access rights for all accounts, reducing potential damage from a compromise.
- Practice 2: Enforce strong password policies and multi-factor authentication wherever possible.
4.5 Automation (Optional)
No suitable automation script is available due to the need for manual credential changes within the web UI.
5. Verification / Validation
- Post-fix check: Attempt to log in using ‘admin’ and ‘guest’. The login should fail.
- Re-test: Re-run the quick check from section 3, attempting login with default credentials – it should now be unsuccessful.
- Smoke test: Access a stored password record within Password Manager Pro to confirm functionality remains intact.
- Monitoring: Monitor application logs for failed login attempts using ‘admin’ and ‘guest’, which could indicate ongoing brute-force attacks.
# No command available, verification is done through the web UI login attempt.6. Preventive Measures and Monitoring
Regular security baselines should include checks for default credentials. CI/CD pipelines can incorporate static analysis to detect hardcoded secrets. A robust asset and patch process ensures timely updates.
- Baselines: Update your security baseline or policy to explicitly prohibit the use of default credentials on all systems.
- Pipelines: Implement SAST tools in your CI/CD pipeline to scan for hardcoded passwords or other secrets in configuration files and code.
- Asset and patch process: Establish a regular schedule for reviewing and applying security patches, including those addressing known vulnerabilities like this one.
7. Risks, Side Effects, and Roll Back
Changing the default credentials could cause temporary service disruption if incorrect passwords are set or forgotten. The roll back steps involve restoring the backed up configuration file.
- Risk or side effect 1: Incorrectly configured new passwords may lock out administrators. Ensure a recovery process is in place.
- Roll back: Restore the previously backed-up Password Manager Pro configuration file.
8. References and Resources
Links to official advisories and trusted documentation related to this vulnerability.
- Vendor advisory or bulletin: ManageEngine Security Updates
- NVD or CVE entry: No specific CVE is listed for this default credential issue, but it falls under general security best practices.
- Product or platform documentation relevant to the fix: Password Manager Pro User Management