CVE-2024-36037
📋 TL;DR
This vulnerability in Zoho ManageEngine ADAudit Plus allows unauthorized local users on agent machines to view session recordings. It affects organizations using ADAudit Plus version 7260 and below for Active Directory auditing. The exposure is limited to local agent access but could reveal sensitive session data.
💻 Affected Systems
- Zoho ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized local users could access sensitive session recordings containing privileged operations, credentials, or confidential data, potentially leading to credential theft or lateral movement.
Likely Case
Local users with access to agent machines could view session recordings they shouldn't have access to, potentially exposing administrative activities or sensitive operations.
If Mitigated
With proper access controls and agent machine security, impact is limited to authorized local users who shouldn't have access to recordings.
🎯 Exploit Status
Exploitation requires local access to agent machines but no special privileges. The vulnerability is in access control logic for session recordings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 7261
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-36037.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus build 7261 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer with administrative privileges. 4. Restart the ADAudit Plus service. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Local Access to Agent Machines
allLimit local user access to ADAudit Plus agent machines to only authorized administrators.
Implement File System Permissions
allSet strict file system permissions on session recording storage directories to prevent unauthorized access.
chmod 700 /path/to/session/recordings (Linux)
icacls "C:\path\to\recordings" /inheritance:r /grant:r "Administrators:(OI)(CI)F" (Windows)
🧯 If You Can't Patch
- Implement strict access controls on all ADAudit Plus agent machines to prevent unauthorized local access.
- Monitor access to session recording directories and alert on unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface under Help > About or run 'java -jar ManageEngineADAuditPlus.jar -version' from installation directory.Check Version:
java -jar ManageEngineADAuditPlus.jar -versionVerify Fix Applied:
Verify version is 7261 or higher and test that local non-admin users cannot access session recordings.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to session recording files
- Failed authentication attempts to ADAudit Plus agent components
Network Indicators:
- Unusual access patterns to agent machines from unauthorized IPs
SIEM Query:
source="ADAuditPlus" AND (event_type="file_access" AND file_path="*session*recordings*") AND user NOT IN (authorized_users)