cve-2020-11552
Vulnerability from cvelistv5
Published
2020-08-11 15:43
Modified
2024-08-04 11:35
Severity ?
EPSS score ?
5.87% (0.90025)
Summary
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.
References
cve@mitre.orghttp://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
cve@mitre.orghttp://seclists.org/fulldisclosure/2020/Aug/4Exploit, Mailing List, Third Party Advisory
cve@mitre.orghttp://seclists.org/fulldisclosure/2020/Aug/6Exploit, Mailing List, Third Party Advisory
cve@mitre.orghttps://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-supportRelease Notes, Vendor Advisory
cve@mitre.orghttps://www.exploit-db.com/exploits/48739Exploit, Third Party Advisory, VDB Entry
cve@mitre.orghttps://www.manageengine.comVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2020/Aug/4Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2020/Aug/6Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-supportRelease Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.exploit-db.com/exploits/48739Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://www.manageengine.comVendor Advisory
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T11:35:13.226Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.manageengine.com",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2020/Aug/4",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.exploit-db.com/exploits/48739",
               },
               {
                  name: "20200811 Re: [FD] ManageEngine ADSelfService Plus - Unauthenticated Remote Code Execution Vulnerability",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2020/Aug/6",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \\windows\\system32, cmd.exe can be launched as a SYSTEM.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-08-11T21:06:16",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.manageengine.com",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://seclists.org/fulldisclosure/2020/Aug/4",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.exploit-db.com/exploits/48739",
            },
            {
               name: "20200811 Re: [FD] ManageEngine ADSelfService Plus - Unauthenticated Remote Code Execution Vulnerability",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2020/Aug/6",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-11552",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \\windows\\system32, cmd.exe can be launched as a SYSTEM.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.manageengine.com",
                     refsource: "MISC",
                     url: "https://www.manageengine.com",
                  },
                  {
                     name: "http://seclists.org/fulldisclosure/2020/Aug/4",
                     refsource: "MISC",
                     url: "http://seclists.org/fulldisclosure/2020/Aug/4",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html",
                  },
                  {
                     name: "https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support",
                     refsource: "CONFIRM",
                     url: "https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support",
                  },
                  {
                     name: "https://www.exploit-db.com/exploits/48739",
                     refsource: "MISC",
                     url: "https://www.exploit-db.com/exploits/48739",
                  },
                  {
                     name: "20200811 Re: [FD] ManageEngine ADSelfService Plus - Unauthenticated Remote Code Execution Vulnerability",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2020/Aug/6",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-11552",
      datePublished: "2020-08-11T15:43:14",
      dateReserved: "2020-04-05T00:00:00",
      dateUpdated: "2024-08-04T11:35:13.226Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2020-11552\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-08-11T16:15:12.057\",\"lastModified\":\"2024-11-21T04:58:08.340\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \\\\windows\\\\system32, cmd.exe can be launched as a SYSTEM.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de elevación de privilegios en ManageEngine ADSelfService Plus antes del build 6003, porque no aplica apropiadamente los privilegios de usuario asociados con un cuadro de diálogo del Certificado. Esta vulnerabilidad podría permitir a un atacante no autenticado escalar privilegios sobre un host de Windows. Un atacante no requiere ningún privilegio en el sistema de destino para explotar esta vulnerabilidad. Una opción es la opción de autoservicio en la pantalla de inicio de sesión de Windows. Al seleccionar esta opción, se inicia el software thick-client, que se conecta a un servidor ADSelfService Plus remoto para facilitar las operaciones de autoservicio. Un atacante no autenticado que tenga acceso físico al host podría activar una alerta de seguridad al suministrar un certificado SSL autofirmado al cliente. La opción View Certificate de la alerta de seguridad permite a un atacante exportar un certificado desplegado hacia un archivo. Esto puede convertirse en cascada en un cuadro de diálogo que puede abrir Explorer como SYSTEM. Al navegar desde Explorer en \\\\windows\\\\ system32, el archivo cmd.exe puede ser iniciado como un SYSTEM\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.8\",\"matchCriteriaId\":\"EA200DAA-09C6-4165-86F3-53E0693DEFA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"86396EFE-E4E1-42DB-A206-9D44B977DB95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6000:*:*:*:*:*:*\",\"matchCriteriaId\":\"1ECD4B6F-D157-4AA6-A288-AF85ECFE3D5D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6001:*:*:*:*:*:*\",\"matchCriteriaId\":\"89042E18-91F4-4EB7-9276-251A94529D36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6002:*:*:*:*:*:*\",\"matchCriteriaId\":\"0215A848-4170-42E0-9711-E9922CE82CD1\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Aug/4\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Aug/6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/48739\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.manageengine.com\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/158820/ManageEngine-ADSelfService-Plus-6000-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Aug/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Aug/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/48739\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.manageengine.com\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.