While exploring the security aspects of ManageEngine ADAudit Plus, I discovered a security vulnerabilityIn cybersecurity, a vulnerability refers to a weakness in a computer system, network, or software application that can be exploited by a threat actor, such as a hacker, to gain unauthorized access or cause damage. Vulnerabilities can arise from flaws in design, implementation, or configuration of systems and software.
See More...See Less... (CVEA list or database of publicly disclosed cybersecurity vulnerabilities and exposures. Each entry or "CVE" is uniquely identified and includes a standardized description of the vulnerability or exposure.
See More...See Less...-2023-32783) that may have far-reaching implications for other product users.
My findings indicate that ADAudit Plus contains a vulnerability which allows WindowsA series of operating systems developed by Microsoft Corporation. It provides a graphical user interface for managing files and running software applications on computers, laptops, and other devices. Windows is one of the most commonly used operating systems globally.
See More...See Less... user accounts to remain completely invisible to ADAudit Plus. User accounts leveraging this vulnerability will be undetected by ADAudit Plus, and all auditA systematic examination or review of a system, process, or set of records to ensure compliance with regulations, standards, or internal policies. Audits are crucial in business and finance for verifying accuracy and ensuring that procedures are followed correctly.
See More...See Less... and security events raised by that user will be missed (i.e., Windows accounts logging in successfully or unsuccessfully). This vulnerability poses a potentially significant risk to organizations relying on ADAudit Plus to perform audit, complianceAdherence to laws, regulations, guidelines, and specifications relevant to a business or activity. Compliance ensures that organizations act responsibly and meet the legal and ethical standards set by regulatory bodies and industry practices.
See More...See Less..., and security functions accurately.
Following responsible disclosure guidelines, I secured the CVE but withheld public disclosure of the vulnerability for 90 days, allowing ManageEngine adequate time to address the issue or work with me on a timeline. Unfortunately, despite communication attempts, I could only get them to acknowledge but couldn't get them to provide any updates or collaborate. The 90-day disclosure period has expired, and this CVE is now public.
Steps to Reproduce
1. Setup:
Install ManageEngine ADAudit Plus (Version: 7.1.1) on a Windows machine to monitor Windows Event Log activity for user accounts (e.g., a domain controller or event forwarding server).
Access the ADAudit Plus portal page at http://localhost:8081.
Navigate to the Reports section and select "User Logon Activity" (or any other report screen that displays user activities).
2. Execution:
Carry out actions that trigger the generation of Windows event logs, such as logging into machines using domain accounts, locking screens, attempting logins with incorrect passwords, etc. ADAudit Plus will successfully detect all these activities, as advertised.
3. ExploitA method or piece of code that leverages a bug, glitch, or vulnerability in software or hardware to trigger unintended or unforeseen behavior. This behavior often includes gaining control over a system, acquiring elevated privileges, or accessing restricted data. While the term "exploit" can imply malicious intent, in computer security, it specifically refers to the act of using vulnerabilities, not necessarily the intent behind it. Exploits can be used for malicious purposes, but they can also be used for testing or protective measures by security professionals.
See More...See Less...:
Create a new user account on any machine that will generate Windows Event Logs to be observed by ADAudit Plus. Ensure the user account ends with a "$" symbol (e.g., "duser$").
Log in using this new account (in this example, "duser$") and perform various actions that result in creating Windows Event Logs.
Observe that the ADAudit Plus portal does not recognize this user, and any actions taken by the user (whether successful or not) do not appear in any of the user or activity reports.
Note that any user previously observed by ADAudit Plus will become invisible if they rename their user login to end with a '$' symbol.
Threat Vector
A malicious user, whether internal or external to the organization, aware of this vulnerability can create a new user account or rename an existing user account to have a $ suffix, and then move undetected across different machines and perform different actions that are all undetected by ADAudit Plus.
Severity: "Medium to High"
Rated "Medium to High" for the following reasons:
This product is extensively utilized by organizations that depend on its accurate execution of audit, compliance, and security tasks.
The simplicity of exploitation
The potential impact on an organization's threat detection capabilities, given the possible invisibility of an adversary
Suspected Issue and Proposed Solution
Suspected Issue and Proposed Solution
Windows Event Logs are notoriously challenging to work with, leading to a demand for products that can filter out the noise and extract meaningful information. I suspect the ADAudit Plus code may examine event properties, match the “TargetUserName,” and disregard any entry ending with a "$." AD Audit Plus incorrectly assumes that such entries only represent system accounts leading to the vulnerability described. Consequently, a legitimate Windows user account (non-system) would be invisible to the product.
The solution would be to avoid relying on the "$" suffix to identify system accounts. This would distinguish user accounts from system accounts more accurately.
