RESTAPI Restriction Bypass Vulnerability - CVE-2022-29081

Severity : High

CVE ID : CVE-2022-29081

Product Name Affected Version(s) Fixed Version(s) Fixed On
Access Manager Plus 4000 to 4301 4302 13-04-2022
Password Manager Pro 10103 to 12006 12007 14-04-2022
PAM360 4001 to 5400 5401 15-04-2022

Details :
An authentication bypass vulnerability that allows an attacker to bypass security checks in specific RESTAPI URLs and gain unauthorized access to the application was reported.

The following RESTAPI URLs were affected by the vulnerability:

  • //RestAPI/SSOutAction
  • //RestAPI/SSLAction
  • //RestAPI/LicenseMgr
  • //RestAPI/GetProductDetails
  • //RestAPI/GetDashboard
  • //RestAPI/FetchEvents
  • //RestAPI/Synchronize

We fixed this issue by adding a security validation check on the API request URI in PAM360 and Password Manager Pro, and by removing unused API URLs in Access Manager Plus.

Impact :
The vulnerability allowed an attacker to invoke the following operations in all three products:

  1. Restart the service
  2. Access dashboard details
  3. Apply a product license and get existing license details
  4. Create new server certificates
  5. Create/download server CSR, and apply server certificates
  6. Fetch event logs, and set up synchronization schedules

In addition to the aforementioned, the vulnerability also allowed attackers to terminate active RDP sessions, launched via ManageEngine ServiceDesk Plus, on PAM360 and Password Manager Pro.

Steps to Upgrade:

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Evan Grant.

Please contact the product support for further details at the below mentioned email addresses:

PAM360: pam360-support@manageengine.com

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com