CVE-2018-5353
📋 TL;DR
This vulnerability in Zoho ManageEngine ADSelfService Plus allows remote attackers to execute arbitrary code with SYSTEM privileges via server spoofing. It affects unpatched versions before 5.5 build 5517. Attackers can exploit this without authentication if Network Level Authentication is disabled or if the web server has a misconfigured certificate.
💻 Affected Systems
- Zoho ManageEngine ADSelfService Plus
📦 What is this software?
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation across the domain.
Likely Case
Privilege escalation to SYSTEM on affected servers, potentially leading to credential harvesting, domain compromise, and ransomware deployment.
If Mitigated
Limited to authenticated attacks only if Network Level Authentication is enforced and certificates are properly configured.
🎯 Exploit Status
Public exploit code available on GitHub. Exploitation requires network access to the target server but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5 build 5517 and later
Vendor Advisory: https://www.manageengine.com/products/self-service-password/release-notes.html
Restart Required: Yes
Instructions:
1. Download ADSelfService Plus version 5.5 build 5517 or later from ManageEngine website. 2. Stop the ADSelfService Plus service. 3. Install the update. 4. Restart the service and verify functionality.
🔧 Temporary Workarounds
Enable Network Level Authentication
windowsRequire Network Level Authentication for RDP connections to prevent unauthenticated exploitation
gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security → Require user authentication for remote connections by using Network Level Authentication → Enabled
Disable custom GINA/CP module
windowsTemporarily disable the vulnerable authentication module if not required
Navigate to ADSelfService Plus installation directory → bin → Modify config files to disable GINA/CP module (consult documentation)
🧯 If You Can't Patch
- Isolate affected systems from internet and restrict network access to authorized users only
- Implement strict certificate validation and monitoring for certificate misconfigurations
🔍 How to Verify
Check if Vulnerable:
Check ADSelfService Plus version in web interface (Admin → About) or installation directory. Versions below 5.5 build 5517 are vulnerable.Check Version:
Check %PROGRAMFILES%\ManageEngine\ADSelfService Plus\conf\version.txt or web interface at https://localhost:9443/admin/about.jspVerify Fix Applied:
Verify version is 5.5 build 5517 or higher in Admin → About page. Test authentication functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts via GINA/CP module
- Unexpected process creation from WinLogon.exe
- Failed certificate validation events
Network Indicators:
- Suspicious RDP connections without NLA
- Unencrypted authentication traffic to ADSelfService Plus
SIEM Query:
source="ADSelfService Plus" AND (event_type="authentication_failure" OR process="WinLogon.exe" AND parent_process!="csrss.exe")