ManageEngine Information Disclosure Flaw Exposes Encryption Keys

ManageEngine, one of the most widely used IT infrastructure management platforms that offers more than 60 Enterprise IT management tools, has been discovered with an Information Disclosure vulnerability which is tracked as CVE-2023-6105 .



This vulnerability affects multiple ManageEngine products, including ADManager, ADSelfService, M365 Manager, Endpoint Central, Service Desk, Access Manager, and many others. The severity of this vulnerability has been given as 5.5 ( Medium ).



CVE-2023-6105 : ManageEngine Information Disclosure



This information disclosure vulnerability exposes encryption keys and exists on multiple ManageEngine products.



A low-privileged OS user with access to the host on an affected product can view and utilize the exposed key for decrypting the product database passwords, resulting in access to the ManageEngine product database.



Additionally, the encryption key is stored in the “CryptTag” configuration in <PRODUCT_INSTALLATION_DIR>confcustomer-config.xml, and the usernames and passwords for ManageEngine product database can be found in the <PRODUCT_INSTALLATION_DIR>confdatabase_params.conf.



However, the database password can be decrypted using the encryption key from the XML file and the .conf file. An attacker with access to the product database can run OS commands with SYSTEM privileges or some administrative account privileges. 



Added to this, the threat actor can reset the password of an administrative user and view data contents that possess sensitive information. A has been published, which provides detailed information about the Python script used for decrypting the password and its output.



A complete report and proof of concept for this vulnerability has been published by Tenable, which provides detailed information about this vulnerability and its patches.



Affected Products



Service Desk Plus prior to version 14304



Asset Explorer prior to version 7004



Service Desk Plus MSP prior to version 14305



Support Center Plus prior to version 14304



Access Manager Plus prior to version 4310



PAM 360 prior to version 5700



Password Manager Pro prior to version 12300



OpManager prior to version 125632 on Windows and version 127243 on Linux



Firewall Analyser prior to version 125632 on Windows and version 127243 on Linux



Netflow Analyser prior to version 125632 on Windows and version 127243 on Linux



Network Configurations Manager prior to version 125632 on Windows and version 127243 on Linux



OpUtils prior to version 125632 on Windows and version 127243 on Linux



Creator On-Premise prior to version 2.0.0



Analytics Plus On-Premise prior to version 5300



ADSelfService Plus prior to version 6304



ADManager Plus prior to version 7210



ADAudit Plus prior to version 7251



Cloud Security Plus prior to version 4170



Data Security Plus prior to version 6126



Exchange Reporter Plus prior to version 5713



M365 Manager Plus prior to version 4539



M365 Security Plus prior to version 4539



SharePoint Manager Plus prior to version 4405



Recovery Manager Plus prior to version 6074



Log360 UEBA prior to version 4050



Endpoint Central prior to version 11.2.2322.01



Endpoint Central MSP prior to version 11.2.2322.01



Remote Monitoring and Management prior to version 10.2.11



Mobile Device Management prior to version 10.1.2204.2



Remote Access Plus prior to version 11.2.2328.01



OS Deployer prior to version 1.2.2331.1



Browser Security Plus prior to version 11.2.2328.01



Patch Manager Plus prior to version 11.2.2328.01



Vulnerability Manager Plus prior to version 11.2.2328.01



Application Control Plus prior to version 11.2.2328.01



Patch Connect Plus prior to version 90124



Device Control Plus prior to version 11.2.2328.01



Endpoint DLP Solution prior to version 11.2.2328.01



Secure Gateway Server prior to version 90091
Users of these ManageEngine products are recommended to apply vendor-specific patches for affected installations to prevent this vulnerability from getting exploited.



Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications:  Try Free Trial .
The post ManageEngine Information Disclosure Flaw Exposes Encryption Keys appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .