Security Advisory

December 22, 2020

This is a security advisory regarding a possible authentication bypass vulnerability in AssetExplorer, which has been identified and rectified. Users of AssetExplorer version 6503 to 6723 who have enabled SAML authentication are affected by this vulnerability and advised to update to the latest version (6724) immediately.

Severity: High

Impact:

This vulnerability might be exploited to log in to an AssetExplorer installation with administrative privileges to access information or change the tool configurations, both of which can be used to provide unauthorized access to user data or aid subsequent attacks. To do so, an attacker would need to carry out two steps. First, they would need to enter the credentials of any user’s account. Then they would need to alter the parameter 'username' to another username with administrative privileges after SAML validation. This would require the attacker to know three pieces of information: the credentials of any user account, the username of an administrator account, and the domain details.

What led to the vulnerability

The security check process used by AssetExplorer to authenticate the username and the user domain post SAML validation had a vulnerability that made it possible to change the parameter 'username' post SAML validation.

This vulnerability could be exploited to log in to an AssetExplorer installation as an administrator.

Who is affected?

This vulnerability affects customers of any edition of AssetExplorer between version 6503 and 6723 who have SAML authentication enabled.

How have we fixed it?

This particular vulnerability has been addressed in AssetExplorer 6724 by fixing the security check mechanism such that authentication occurs with the username and domain details stored securely rather than from direct incoming parameters that can be tampered with easily.

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client. Select the About option from the drop-down to see your current version. If your current version is between 6503 to 6723 and you are using SAML authentication, you might be affected.

What customers should do

Download the upgrade pack from https://www.manageengine.com/products/asset-explorer/service-packs.html and immediately upgrade to version 6724 or above. Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Important note:

As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

March 11, 2020

Directory traversal vulnerability in AssetExplorer 6700 and 6701

This is a security advisory regarding a directory traversal vulnerability (also known as file path traversal) in AssetExplorer, which has been identified and rectified. Users of AssetExplorer versions 6700 and 6701 are affected by this vulnerability and advised to update to version 6702 or above immediately.

Severity : High

Impact:

An unauthenticated attacker might be able to access arbitrary files on the server running AssetExplorer, outside the web server's document directory, using a specially crafted URL. This vulnerability might be exploited to access sensitive information to aid in subsequent attacks.

What led to the vulnerability

AssetExplorer allows technicians to initiate remote sessions on Windows workstations using the Web Remote capability. This feature is enabled through a third-party tool, RemoteSpark, which is bundled with AssetExplorer. 

The use of RemoteSpark's Spark View Version 5.8 (Build 903-928) in AssetExplorer versions 6700 and 6701 led to this vulnerability.

Who is affected?

Customers of AssetExplorer using versions 6700 and 6701 across all editions are affected by this vulnerability.

How have we fixed it?

This particular vulnerability has been addressed in AssetExplorer 6702 by migrating to RemoteSpark Spark View Version 5.2 (Build 942). RemoteSpark has confirmed with ManageEngine that the issue has been fixed in this version.

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client. Select the About option from the drop-down to see your current version. If your current version is 6700 or 6701, you might be affected.

What customers should do

Download the upgrade pack from https://www.manageengine.com/products/asset-explorer/service-packs.html and immediately upgrade to version 6702 or above. Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

Important note:

As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

Best regards,
Umashankar
ManageEngine AssetExplorer

For Easy & Effective Asset Management trusted by