Security issue with Active Directory integration SDP and authentication.

Security issue with Active Directory integration SDP and authentication.

Hi

 

We have discovered a security issue with ManageEngine Service Desk Plus. This issue is related to all releases of SDP, and has been reported to ManageEngine by email and acknowledged and verified by support. The support ticket id is 7500885 and was reported for SDP in October 2016. The Bug id is SD-61664. Since this Security issue has been reported, multiple updates have been released, without a this fix for this issue included.


The security issue is that any user can log in to any other user's account by following the steps below. The other user does not know that you have accessed the account in SDP.

 

This security issue was also reported in SupportCenter Plus, by me then as well,  and fixed almost 3 years ago. During this fix, you were also notified about the security issue in SDP. 

 

Here is proof of concept:

 

Environment: Windows servers, with AD integration and AD pass-through enabled on SDP. There are no local users in SDP.  

How to exploit this issue:

 

1. Open up your SDP website as usual.

2. Press logout

3. Type in a AD username as username (any AD username will work, you will get their privelege level when logging in)

4. Type the AD username as password. (Use the same Username as you used in step 3. )

5. Select local authentication NOT Directory authentication

6. Press log in.

 

That's it. You are now logged inn as the user you want to be. The reason that this works, is that when importing users from AD, SDP uses the AD username as a password for the user.

 

This issue has been confirmed by ManageEngine also, via email.

 

My last contact with ManageEngine was on December 15, 2016, where i was promised a feedback on the case, but i have not heard from ManageEngine since then.

 

This lack of concern regarding security is frankly worrying. I can imagine that we are not the only it department in the world that sometimes handles sensitive information regarding HR, accounting, payroll and lots of other information that not everybody needs. Since i have reported this case, you have not given me any feedback at all, I have been the one contacting you for an update. The case wasn't even answered before i contacted you 2 times for an update. The case was originally created on the 27.10.16, and your first respons wasn't before 7.11.2016. Thankfully our SDP installation is not facing the internet.   

When the case was reported in October, i also gave you the support ticket for SupportCenterPlus, where i reported the same security issue. This has now been fixed, see previous comment above. The issue was first reported to our IT department by one of our not so tech savy users, who discovered this issue by mistake.  

When can we expect an update that will fix this issue?

Regards

Rolv Arne Møllerhaug

Senior IT Consultant

Sana Pharma Group
        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial





                            Related Products