Florian Roth
33 lines
1.1 KiB
YAML
33 lines
1.1 KiB
YAML
title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
|
|
id: fcbb4a77-f368-4945-b046-4499a1da69d1
|
|
status: experimental
|
|
description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
|
|
references:
|
|
- https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
|
|
- https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
|
|
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
|
|
author: Sittikorn S, Nuttakorn Tungpoonsup
|
|
date: 2021/09/10
|
|
modified: 2021/09/17
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
logsource:
|
|
category: webserver
|
|
definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
|
|
detection:
|
|
selection:
|
|
c-uri|contains:
|
|
- '/help/admin-guide/Reports/ReportGenerate.jsp'
|
|
- '/RestAPI/LogonCustomization'
|
|
- '/RestAPI/Connection'
|
|
condition: selection
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|