CVE-2021-38298 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2021-38298?

CVE-2021-38298 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to perform blind XML External Entity (XXE) attacks against Zoho ManageEngine ADManager Plus. Attackers can exploit this to read arbitrary files from the server, potentially leading to sensitive data exposure. Organizations using ADManager Plus versions before 7110 are affected.

📋 TL;DR

This vulnerability allows attackers to perform blind XML External Entity (XXE) attacks against Zoho ManageEngine ADManager Plus. Attackers can exploit this to read arbitrary files from the server, potentially leading to sensitive data exposure. Organizations using ADManager Plus versions before 7110 are affected.

💻 Affected Systems

Products:

Zoho ManageEngine ADManager Plus

Versions: All versions before 7110

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the ADManager Plus server, including extraction of sensitive configuration files, credentials, and Active Directory data, potentially enabling lateral movement within the network.

🟠

Likely Case

Unauthorized file read access leading to credential theft, configuration exposure, and potential privilege escalation within the ADManager Plus environment.

🟢

If Mitigated

Limited impact with proper network segmentation and input validation controls, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable without authentication, making them prime targets for attackers.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to internal threat actors or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with readily available exploitation tools. The blind nature requires some additional steps but doesn't significantly increase complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7110

Vendor Advisory: https://www.manageengine.com/products/ad-manager/release-notes.html#7110

Restart Required: Yes

Instructions:

1. Download ADManager Plus version 7110 or later from the ManageEngine website. 2. Stop the ADManager Plus service. 3. Install the update. 4. Restart the service.

🔧 Temporary Workarounds

Disable XML External Entity Processing

all

Configure the XML parser to disable external entity resolution

Modify XML parser configuration to set features: FEATURE_SECURE_PROCESSING = true, http://apache.org/xml/features/disallow-doctype-decl = true

Network Segmentation

all

Restrict network access to ADManager Plus instances

Configure firewall rules to limit access to trusted IP addresses only

🧯 If You Can't Patch

Implement strict input validation and sanitization for all XML input
Deploy a web application firewall (WAF) with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check the ADManager Plus version in the web interface or installation directory. Versions below 7110 are vulnerable.

Check Version:

Check the version in the web interface at /api/json/admin/getproductdetails or examine the build.txt file in the installation directory.

Verify Fix Applied:

Verify the version shows 7110 or higher after patching and test XXE payloads to confirm they are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Requests containing XML with DOCTYPE declarations
Outbound connections to unusual external entities

Network Indicators:

HTTP requests with XML payloads containing external entity references
DNS requests for unusual external domains from the ADManager Plus server

SIEM Query:

source="admanager-plus" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*XXE*")

📊 Metadata

CVE ID: CVE-2021-38298

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: October 7, 2021

Last Updated: November 21, 2024

🔗 References

https://www.manageengine.com/products/ad-manager/release-notes.html#7110 Release Notes,Vendor Advisory
https://www.manageengine.com/products/ad-manager/release-notes.html#7110 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38298, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

Manageengine Admanager Plus by Zohocorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable XML External Entity Processing

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities