ManageEngine Information Disclosure Flaw Exposes Encryption Keys

ManageEngine, one of the most widely used IT infrastructure management platforms that offers more than 60 Enterprise IT management tools, has been discovered with an Information Disclosure vulnerability which is tracked as CVE-2023-6105.

This vulnerability affects multiple ManageEngine products, including ADManager, ADSelfService, M365 Manager, Endpoint Central, Service Desk, Access Manager, and many others. The severity of this vulnerability has been given as 5.5 (Medium).

CVE-2023-6105: ManageEngine Information Disclosure

This information disclosure vulnerability exposes encryption keys and exists on multiple ManageEngine products.

A low-privileged OS user with access to the host on an affected product can view and utilize the exposed key for decrypting the product database passwords, resulting in access to the ManageEngine product database.

Additionally, the encryption key is stored in the “CryptTag” configuration in <PRODUCT_INSTALLATION_DIR>\conf\customer-config.xml, and the usernames and passwords for ManageEngine product database can be found in the <PRODUCT_INSTALLATION_DIR>\conf\database_params.conf.

However, the database password can be decrypted using the encryption key from the XML file and the .conf file. An attacker with access to the product database can run OS commands with SYSTEM privileges or some administrative account privileges. 

Added to this, the threat actor can reset the password of an administrative user and view data contents that possess sensitive information. A has been published, which provides detailed information about the Python script used for decrypting the password and its output.

A complete report and proof of concept for this vulnerability has been published by Tenable, which provides detailed information about this vulnerability and its patches.

Affected Products

• Service Desk Plus prior to version 14304
• Asset Explorer prior to version 7004
• Service Desk Plus MSP prior to version 14305
• Support Center Plus prior to version 14304
• Access Manager Plus prior to version 4310
• PAM 360 prior to version 5700
• Password Manager Pro prior to version 12300
• OpManager prior to version 125632 on Windows and version 127243 on Linux
• Firewall Analyser prior to version 125632 on Windows and version 127243 on Linux
• Netflow Analyser prior to version 125632 on Windows and version 127243 on Linux
• Network Configurations Manager prior to version 125632 on Windows and version 127243 on Linux
• OpUtils prior to version 125632 on Windows and version 127243 on Linux
• Creator On-Premise prior to version 2.0.0
• Analytics Plus On-Premise prior to version 5300
• ADSelfService Plus prior to version 6304
• ADManager Plus prior to version 7210
• ADAudit Plus prior to version 7251
• Cloud Security Plus prior to version 4170
• Data Security Plus prior to version 6126
• Exchange Reporter Plus prior to version 5713
• M365 Manager Plus prior to version 4539
• M365 Security Plus prior to version 4539
• SharePoint Manager Plus prior to version 4405
• Recovery Manager Plus prior to version 6074
• Log360 UEBA prior to version 4050
• Endpoint Central prior to version 11.2.2322.01
• Endpoint Central MSP prior to version 11.2.2322.01
• Remote Monitoring and Management prior to version 10.2.11
• Mobile Device Management prior to version 10.1.2204.2
• Remote Access Plus prior to version 11.2.2328.01
• OS Deployer prior to version 1.2.2331.1
• Browser Security Plus prior to version 11.2.2328.01
• Patch Manager Plus prior to version 11.2.2328.01
• Vulnerability Manager Plus prior to version 11.2.2328.01
• Application Control Plus prior to version 11.2.2328.01
• Patch Connect Plus prior to version 90124
• Device Control Plus prior to version 11.2.2328.01
• Endpoint DLP Solution prior to version 11.2.2328.01
• Secure Gateway Server prior to version 90091

Users of these ManageEngine products are recommended to apply vendor-specific patches for affected installations to prevent this vulnerability from getting exploited.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.