CVE-2021-37423

Q: What is the severity of CVE-2021-37423?

CVE-2021-37423 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to take over linked applications in Zoho ManageEngine ADSelfService Plus. Attackers can potentially gain unauthorized access to integrated systems and perform malicious actions. Organizations using ADSelfService Plus version 6111 and earlier are affected.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to take over linked applications in Zoho ManageEngine ADSelfService Plus. Attackers can potentially gain unauthorized access to integrated systems and perform malicious actions. Organizations using ADSelfService Plus version 6111 and earlier are affected.

💻 Affected Systems

Products:

Zoho ManageEngine ADSelfService Plus

Versions: 6111 and prior versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with linked applications configured are vulnerable. The vulnerability affects the core application functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of linked applications, potentially leading to domain takeover, data exfiltration, and lateral movement across the network.

🟠

Likely Case

Unauthorized access to integrated systems, credential theft, and privilege escalation within the ADSelfService Plus environment.

🟢

If Mitigated

Limited impact with proper network segmentation, application isolation, and monitoring in place.

🌐 Internet-Facing: HIGH - ADSelfService Plus is often exposed externally for self-service password reset functionality.

🏢 Internal Only: HIGH - Even internally, this vulnerability can lead to significant compromise of linked systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows takeover of linked applications, suggesting relatively straightforward exploitation once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6112 hotfix

Vendor Advisory: https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release

Restart Required: Yes

Instructions:

1. Download the 6112 hotfix from the ManageEngine portal. 2. Stop the ADSelfService Plus service. 3. Apply the hotfix. 4. Restart the service. 5. Verify the version shows 6112.

🔧 Temporary Workarounds

Disable Linked Applications

all

Temporarily disable all linked application integrations to prevent exploitation.

Navigate to Admin → Linked Applications → Disable all integrations

Network Isolation

all

Restrict network access to ADSelfService Plus to only necessary systems.

Configure firewall rules to limit inbound/outbound connections

🧯 If You Can't Patch

Implement strict network segmentation to isolate ADSelfService Plus from critical systems
Enable enhanced logging and monitoring for suspicious activity in linked applications

🔍 How to Verify

Check if Vulnerable:

Check the ADSelfService Plus version in the web interface under Help → About. If version is 6111 or earlier, the system is vulnerable.

Check Version:

Check web interface at https://[server]:[port]/help/about.jsp or examine installation directory version files

Verify Fix Applied:

After applying the 6112 hotfix, verify the version shows 6112 in the About section and test linked application functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual linked application access patterns
Failed authentication attempts followed by successful linked app access
Configuration changes to linked applications

Network Indicators:

Unexpected outbound connections from ADSelfService Plus to linked systems
Unusual authentication traffic patterns

SIEM Query:

source="ADSelfServicePlus" AND (event="LinkedAppAccess" OR event="ConfigurationChange") | stats count by user, src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2021-37423

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: September 10, 2021

Last Updated: November 21, 2024

🔗 References

https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release Release Notes,Vendor Advisory
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release Release Notes,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Linked Applications

Network Isolation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export