Vulnerability Disclosure -Improper ACL : Unauthorized Password Reset @ Zoho R.A.P.
Status: Possibly Fixed (As on 01-Oct-2021)
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L = 7.3 (High Severity)
CVE-2021–42955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42955
Fixed version: 10.1.2132 (Change log)
Impacted Component: Remote Access Plus (RAP) Server (Desktop App)
Vulnerability Description: Because of improper design of password reset work flow (in absence of proper Authentication verification mechanism). It was also noticed that the application has weak file permission ACL (access control list) assigned in various locations, including the reset password executable file. Due to this it is possible for non-admin windows user to reset password of web portal user. Upon successful reset, attacker now would be having web portal admin access.
Impact rational: With unauthorized password reset vulnerability, any Windows admin/non-admin user would be able gain admin access of the R.A.P. web portal. The Web portal contains all sensitive info like server config, deployed agent config., all other system info., their vulnerability/patch status, user accounts, keys and many other details. Private key which helps in server Authentication was also present.
Exploitability rational:
Person needs system access where the application is installed, with any user role may it be admin/non-admin of Windows account. Exploitation becomes very easy because of Improper ACL & Hardcoded Reset Salt-Password values Vulnerability.
Steps To Reproduce:
Exploitation becomes easier since entire process is documented within https://www.manageengine.com/remote-desktop-management/help/changing-password.html
Recommendation:
- Preventing execution of reset scripts to limited user roles.
- Using security answer or email/SMS/Authenticator apps based verification before reset.
