CVE-2024-36034
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the aggregate reports' search option in ManageEngine ADAudit Plus. Attackers could potentially access, modify, or delete sensitive Active Directory audit data. Organizations using ADAudit Plus versions below 8003 are affected.
💻 Affected Systems
- Zohocorp ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ADAudit Plus database, allowing data exfiltration, privilege escalation, and potential lateral movement to connected Active Directory environments.
Likely Case
Unauthorized access to sensitive audit logs, user data extraction, and potential data manipulation affecting compliance reporting.
If Mitigated
Limited impact if proper network segmentation, database permissions, and monitoring are in place, though data exposure risk remains.
🎯 Exploit Status
Requires authenticated access but SQL injection is typically straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8003
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/sqlfix-8003.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus build 8003 from ManageEngine website. 2. Stop ADAudit Plus service. 3. Backup current installation. 4. Install the update. 5. Restart ADAudit Plus service.
🔧 Temporary Workarounds
Restrict Access to Aggregate Reports
allTemporarily disable or restrict access to the aggregate reports feature for non-essential users.
Implement Web Application Firewall
allDeploy WAF rules to block SQL injection patterns targeting the aggregate reports endpoint.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ADAudit Plus from critical systems
- Enforce principle of least privilege for ADAudit Plus user accounts and database permissions
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface (Help > About) or installation directory. If version is below 8003, system is vulnerable.Check Version:
On Windows: Check 'C:\Program Files\ManageEngine\ADAudit Plus\conf\version.info'. On Linux: Check '/opt/ManageEngine/ADAudit Plus/conf/version.info'Verify Fix Applied:
Verify version is 8003 or higher in About page. Test aggregate reports search functionality with SQL injection test payloads (in safe environment).📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by aggregate reports access
- Long or malformed search parameters in web logs
Network Indicators:
- Unusual database connection patterns from ADAudit Plus server
- Large data transfers from ADAudit Plus database
SIEM Query:
source="ad_audit_logs" AND (event="SQL_ERROR" OR uri="/aggregatereports" AND (param CONTAINS "' OR " OR "--" OR ";"))