While exploring the security aspects of ManageEngine ADAudit Plus, I discovered a security vulnerabilityIn cybersecurity, a vulnerability refers to a weakness in a computer system, network, or software application that can be exploited by a threat actor, such as a hacker, to gain unauthorized access or cause damage. Vulnerabilities can arise from flaws in design, implementation, or configuration of systems and software. (CVE A list or database of publicly disclosed cybersecurity vulnerabilities and exposures. Each entry or "CVE" is uniquely identified and includes a standardized description of the vulnerability or exposure. -2023-32783) that may have far-reaching implications for other product users.
My findings indicate that ADAudit Plus contains a vulnerability allowing WindowsA series of operating systems developed by Microsoft Corporation. It provides a graphical user interface for managing files and running software applications on computers, laptops, and other devices. Windows is one of the most commonly used operating systems globally. user accounts to remain completely invisible to ADAudit Plus. User accounts leveraging this vulnerability will be undetected by ADAudit Plus, and all audit A systematic examination or review of a system, process, or set of records to ensure compliance with regulations, standards, or internal policies. Audits are crucial in business and finance for verifying accuracy and ensuring that procedures are followed correctly. and security events raised by that user will be missed (i.e., Windows accounts logging in successfully or unsuccessfully). This vulnerability poses a potentially significant risk to organizations relying on ADAudit Plus to perform audit, compliance Adherence to laws, regulations, guidelines, and specifications relevant to a business or activity. Compliance ensures that organizations act responsibly and meet the legal and ethical standards set by regulatory bodies and industry practices. , and security functions accurately.
Following responsible disclosure guidelines, I secured the CVE but withheld public disclosure of the vulnerability for 90 days, allowing ManageEngine adequate time to address the issue or work with me on a timeline. Unfortunately, despite communication attempts, I could only get them to acknowledge but couldn't get them to provide any updates or collaborate. The 90-day disclosure period has expired, and this CVE is now public.
3. ExploitIn the context of computer security, an exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software or hardware. Exploits can lead to control or privilege escalation on a computer system. :
A malicious user, whether internal or external to the org, aware of this vulnerability can create a new or rename an existing user account to have a $ suffix, and then move undetected across different machines and perform different actions that are all undetected by ADAudit Plus.
Rated "Medium to High" for the following reasons:
Windows Event Logs are notoriously challenging to work with, leading to a demand for products that can filter out the noise and extract meaningful information. I suspect the ADAudit Plus code may examine event properties, match the “TargetUserName,” and disregards any entry ending with a "$." and that AD Audit Plus incorrectly assumes that such entries only represent system accounts leading to the vulnerability described. Consequently, a legitimate Windows user account (non-system) would be invisible to the product.
The solution would be to avoid relying on the "$" suffix to identify system accounts to distinguish user accounts from system accounts more accurately.