QID 378353

Date Published: 2023-04-17

QID 378353: Zoho ManageEngine ServiceDesk Plus MSP Authentication Bypass Vulnerability

Zoho ManageEngine ServiceDesk Plus MSP is vulnerable to authentication bypass vulnerability in Active Directory/LDAP authentication.

A flaw in the LDAP authentication process for user details imported from LDAP server, when modified manually or through an API, allows an adversary to log in to the application using any random input as the password.

Affected Versions:
ManageEngine ServiceDesk Plus MSP versions from 10600 to 10610
ManageEngine ServiceDesk Plus MSP versions from 13000 to 13003

NOTE:
This vulnerability is applicable only when LDAP authentication is enabled.

QID Detection Logic (Authenticated):
Windows: Checks for vulnerable version of ManageEngine ServiceDesk Plus MSP by reading the version from buildinfo.xml file.

Successful exploitation of this vulnerability may allows an adversary to log in to the application using any random input as the password.

  • CVSS V3 rated as Critical - 9.1 severity.
  • CVSS V2 rated as High - 6.4 severity.
    • Solution
    Vendor has released patches addressing the vulnerability. For more information please refer to Zoho ManageEngine Security Advisory

    Workaround:
    Customers can disable LDAP authentication in ServiceDesk Plus MSP.

    Vendor References

    CVEs related to QID 378353

    CVE-2023-22964 |
    Software Advisories
    Advisory ID Software Component Link
    Zoho ManageEngine Security Advisory URL Logo www.manageengine.com/products/service-desk-msp/cve-2023-22964.html
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].