CVE-2023-35719

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

ManageEngine ADSelfService Plus GINA Client Verificación insuficiente de autenticidad de datos Vulnerabilidad de omisión de autenticación. Esta vulnerabilidad permite a atacantes físicamente presentes ejecutar código arbitrario en instalaciones afectadas de ManageEngine ADSelfService Plus. No se requiere autenticación para aprovechar esta vulnerabilidad. La falla específica existe en el Portal de restablecimiento de contraseña utilizado por el cliente GINA. El problema se debe a la falta de autenticación adecuada de los datos recibidos a través de HTTP. Un atacante puede aprovechar esta vulnerabilidad para eludir la autenticación y ejecutar código en el contexto de SYSTEM. Era ZDI-CAN-17009.

This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM.

*Credits: Pedro Ribeiro (pedrib@gmail.com | @pedrib1337), João Bigotte and Ashley King from Agile Information Security

CVSS Scores

NISTv3.1 6.8

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-06-15 CVE Reserved
2023-06-21 CVE Published
2024-09-26 CVE Updated
2024-10-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (2)

URL	Tag	Source
https://www.zerodayinitiative.com/advisories/ZDI-23-891	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html	2023-09-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zohocorp Search vendor "Zohocorp"		Manageengine Adselfservice Plus Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus"				6.1 Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" and version "6.1"		6122		Affected