Regarding vulnerabilities disclosed in seclists.org

Regarding vulnerabilities disclosed in seclists.org

Hi,

 

This is with reference to the security vulnerabilities in Password Manager Pro disclosed by security researcher Sebastian Perez in seclists.org on  4 April, 2016. The vulnerabilities were largely addressed in PMP builds 8300 and 8303 and if you are using PMP versions 8303 and later (released in Dec 2015), no action required from your end. If you are using versions 8302 or earlier, you need to upgrade to 8303 or to the latest version 8402.

 

Here are some background details:

 

Security researcher Sebastian Perez responsibly disclosed the vulnerabilities to ManageEngine on 7 July, 2015. As part of our vulnerability handling and security response mechanism, our security and development teams got in touch with him and gathered information. We accorded the highest priority for fixing the vulnerabilities.

 

Vulnerabilities #2, #4 #7 and partially #8 were addressed in version 8300 (released in Oct 2015) and #1, #3, #5 and #6 were addressed subsequently in version 8302 (released in Dec 2015). While the first fix was duly conveyed to the researcher, there was a miscommunication on our part in reporting the second fix to him immediately. It was later communicated in Feb 2016. After validating the fixes for vulnerabilities #1 to #7, the researcher has now publicly disclosed the vulnerabilities.

 

We would like to thankfully recognize the researcher Sebastian for responsibly disclosing the vulnerabilities and for working with us to help protect our customers. We also earnestly apologize for the delay in communicating the details about the second fix to him.

 

Vulnerability #8 (which relates to Cross-Site Request Forgery) has now been partially addressed. We are working on to completely address this and we are striving to release the fix at the earliest (within three months).

 

Though the vulnerability #8 partially exists even in the latest version, we would like to highlight the difficulty level for exploiting it. This vulnerability can be exploited by Password Manager Pro users while remaining authenticated, provided the user has knowledge about PMP's URL construction pattern and various parameters to craft forged requests. This can be exploited only by forging the URL and not through inputs in the GUI. 

 

However, as a precautionary measure, you can enable restrictions on granting user access to PMP only from specific IPs or a specific range. Please carry out the following steps to enforce this restriction:


  • Stop the PMP Service if it is running
  • Open the server.xml file present in <PMP_HOME>\conf folder
  • Search for this line
    <    Context path="" docBase="PassTrix" debug="0" useHttpOnly="true"/> 
  • Add the following line after the one shown above (replace the sample IP with your entries. The IPs / range entered here represent allowed IPs):
    <    Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.168.212.*"/>
  • Start the PMP Service


Next Steps: (If you are using versions 8303 or earlier):

 

Download the upgrade pack from our website  and  upgrade to the version 8303 or incrementally to the latest version 8402. Please read the upgrade instructions carefully before the upgrade. For any assistance write to us at passwordmanagerpro-support@manageengine.com or call our toll free number +1 888 720 9500.

 

Important Note: As always, make a copy of the entire Password Manager Pro installation folder before applying the upgrade pack and keep the copy in some other location. If something goes wrong with the PMP upgrade, you can rely on the copy. All your settings will remain intact. Additionally, if you are using MS SQL server as back-end database, make a backup of the Password Manager Pro database before applying the upgrade pack. Once the upgrade is successful in all respects, remember to delete the backup.

 

We earnestly apologize for the inconvenience caused. We reassure you that you are quite safe with PMP and we take security quite seriously. We would be glad to assist you with the  upgrade to the latest version, in case you are using versions 8302 or earlier. Do write to PMP support, if you need any assistance / clarifications.

 

Thanks,

Bala

(ManageEngine Password Manager Pro)
        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial





                            Related Products