Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability has been identified in several ManageEngine products, specifically related to how authentication tickets are generated. An attacker could potentially predict these tickets without needing to log in, which could allow them to take over user accounts. This impacts systems that handle identity and access management, and its relevance needs to be confirmed for our environment.
- Predictable tickets allow unauthorized account access.
- Affects identity and access management systems.
- Confirm relevance and exposure for our environment.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker could predict special tickets used to verify user sessions in several ManageEngine products. This could allow an attacker to impersonate legitimate users and gain unauthorized access to accounts.
- Attacker needs network access.
- Predictable session tickets.
- Account takeover.
Live Threat
Current exploitation, exposure, and threat context
SSO tickets used for session authentication in specific ManageEngine products could be predicted by unauthenticated users, potentially leading to unauthorized access and account takeover. This could affect system access and user account control when these products are accessible externally.
- User accounts and system access.
- Ticket prediction by unauthenticated users.
- Account takeover and unauthorized access.
Operational Fix
Recommended remediation, mitigation, and detection steps
The potential for account takeover through predictable SSO tickets in ManageEngine products like ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus necessitates immediate attention from teams managing these identity and access management solutions. The first practical step is to inventory all instances of these products, confirm their external reachability and business criticality, and identify the accountable system owners. Subsequently, a risk-based remediation plan, potentially involving vendor coordination or temporary mitigating controls, should be developed and executed.
- Identify and inventory affected systems.
- Verify external reachability and business impact.
- Plan remediation based on ownership and risk.