{"id":17048,"date":"2021-09-13T15:57:13","date_gmt":"2021-09-13T13:57:13","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17048"},"modified":"2021-09-13T17:04:27","modified_gmt":"2021-09-13T15:04:27","slug":"usd-2021-0015","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0015\/","title":{"rendered":"usd-2021-0015"},"content":{"rendered":"\n[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\" custom_padding=\"||0px|||\"]

usd-2021-0015 | Password Manager Pro<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2021-0015
<\/span>CVE Number<\/strong>: CVE-2021-33617
Affected Product<\/strong>: Password Manager Pro<\/span>
Affected Version<\/strong>: < Version 11.2 Build 11200 (Major)<\/span>
Vulnerability Type<\/strong>: User Enumeration (CWE-203: Observable Discrepancy)<\/span>
Security Risk<\/strong>: Low<\/span>
Vendor URL<\/strong>: <\/span><\/a>https:\/\/www.manageengine.com\/products\/passwordmanagerpro\/\u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/em><\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

The ManageEngine Password Manager Pro web application allows the determination of valid logon names. This can be achieved by passing either an existing or non-existing user name to the application and view its corresponding response.<\/p>\n

User Enumeration vulnerabilities occur if observable discrepancies of an application\u2019s behavior allow to determine whether an user account is existent within an application. Such vulnerabilities can be often exploited to generate a list of valid logon names, potentially acting as foothold for further attacks.<\/p>\n

The Password Manager Pro<\/em> exposes an endpoint that enables an unauthenticated malicious actor to determine whether an userName<\/em>\u00a0is existent within the application.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The Password Manager Pro<\/em> exposes an endpoint that responds with different contents if a userName<\/em>\u00a0parameter at https:\/\/example.com\/login\/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=[VALUE]<\/a> holds an existing user name or not.<\/p>\n

1. Non-existent user: https:\/\/example.com\/login\/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=non.existent<\/a><\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/09\/poc1-1024x73-1.png\" _builder_version=\"4.10.7\" _module_preset=\"default\" title_text=\"poc1-1024x73\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.10.7\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]

2.Existing user: https:\/\/example.com\/login\/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=max.mustermann<\/a><\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/09\/poc2-1024x75-1.png\" _builder_version=\"4.10.7\" _module_preset=\"default\" title_text=\"poc2-1024x75\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.11\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\" custom_padding=\"||1px|||\"]

\n
\n

Fix<\/h3>\n
\n
\n

It is recommended to use generic error messages that do not allow to draw conclusions about logon names.<\/p>\n

 <\/p>\n<\/div>\n<\/div>\n

<\/div>\n

References<\/h3>\n