CVE-2023-35854
CVE-2023-35854
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
Comprehensive Technical Analysis of CVE-2023-35854
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-35854 CVSS v3.1 Score: 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vector Breakdown:
- Attack Vector (AV:N): Network-based exploitation (remote attack surface).
- Attack Complexity (AC:L): Low – No specialized conditions required.
- Privileges Required (PR:N): None – Unauthenticated exploitation.
- User Interaction (UI:N): None – No user action needed.
- Scope (S:U): Unchanged – Impact confined to the vulnerable component.
- Confidentiality (C:H): High – Full domain controller session token exposure.
- Integrity (I:H): High – Domain controller identity spoofing possible.
- Availability (A:H): High – Potential for full domain compromise.
Severity Justification
This vulnerability is critical due to:
- Unauthenticated remote exploitation (no credentials required).
- Privilege escalation to Domain Controller (DC) administrator via stolen session tokens.
- High impact on confidentiality, integrity, and availability of Active Directory (AD) environments.
- Lack of vendor acknowledgment (Zoho claims no evidence of exploitation, but the CVSS score and PoC existence suggest otherwise).
2. Potential Attack Vectors and Exploitation Methods
Attack Surface
The vulnerability resides in Zoho ManageEngine ADSelfService Plus (ADSSP), a self-service password reset and multi-factor authentication (MFA) solution for Active Directory. The flaw allows an attacker to:
- Bypass authentication in ADSSP (versions ≤ 6113).
- Steal the Domain Controller (DC) session token, enabling:
- Identity spoofing (impersonation of the DC).
- Privilege escalation to Domain Admin (highest AD privilege).
- Lateral movement across the AD environment.
Exploitation Workflow
Based on available PoC references (e.g., GitHub repository), the attack likely follows this sequence:
-
Reconnaissance:
- Identify exposed ADSSP instances (default port: 8888/TCP).
- Enumerate version (≤ 6113) via HTTP headers or error messages.
-
Authentication Bypass:
- Exploit a flaw in session token validation (likely in the authentication handler).
- Craft a malicious request to bypass login checks and obtain a valid session.
-
Session Token Theft:
- Extract the DC session token (possibly stored in cookies, memory, or API responses).
- This token may be long-lived or reusable, allowing persistent access.
-
Domain Controller Impersonation:
- Use the stolen token to authenticate as the DC in AD operations.
- Perform privileged actions (e.g., user/group modifications, Kerberos ticket forging, DCSync attacks).
-
Post-Exploitation:
- Dump AD credentials (via Mimikatz, SecretsDump, or DCSync).
- Deploy persistence (Golden Ticket, Skeleton Key, or backdoor accounts).
- Move laterally to other systems (e.g., via Pass-the-Hash or Kerberos delegation).
Exploitation Requirements
- Network access to the ADSSP web interface (port 8888/TCP).
- No prior authentication required.
- No user interaction needed.
- PoC code available (increases risk of widespread exploitation).
3. Affected Systems and Software Versions
| Product | Affected Versions | Fixed Versions | Notes |
|---|---|---|---|
| Zoho ManageEngine ADSelfService Plus | ≤ 6113 | ≥ 6114 | Vendor disputes vulnerability. |
| Active Directory Domain Services | All versions (if ADSSP is integrated) | N/A | Indirectly affected via token theft. |
Detection Methods
- Version Check:
https://<ADSSP_SERVER>:8888/selfservice/version(or via HTTP headers).
- Vulnerability Scanning:
- Nmap:
nmap -p 8888 --script http-vuln-cve2023-35854 <TARGET> - Nessus/OpenVAS: Plugin for CVE-2023-35854 (if available).
- Nmap:
- Log Analysis:
- Unusual authentication bypass attempts in ADSSP logs.
- DC session token usage from unexpected IPs.
4. Recommended Mitigation Strategies
Immediate Actions (Short-Term)
-
Upgrade ADSelfService Plus:
- Apply version 6114 or later (if available).
- Monitor Zoho’s security advisories for patches.
-
Network-Level Protections:
- Restrict access to ADSSP (port 8888/TCP) via:
- Firewall rules (allow only trusted IPs).
- VPN/Zero Trust for remote access.
- Disable ADSSP if not in use.
- Restrict access to ADSSP (port 8888/TCP) via:
-
Temporary Workarounds:
- Disable vulnerable authentication endpoints (if possible via configuration).
- Enable MFA for ADSSP logins (mitigates some attack vectors but may not prevent token theft).
-
Monitoring & Detection:
- SIEM Alerts: Watch for:
- Unauthenticated access to
/selfservice/endpoints. - DC session token usage from non-DC IPs.
- Unauthenticated access to
- Endpoint Detection & Response (EDR): Monitor for:
- Unusual ADSSP process activity.
- Token theft attempts (e.g., Mimikatz, Rubeus).
- SIEM Alerts: Watch for:
Long-Term Hardening
-
Active Directory Security:
- Enforce Least Privilege: Restrict DC admin rights.
- Enable LDAP Signing & Channel Binding (prevents relay attacks).
- Deploy Microsoft Defender for Identity (detects DC impersonation).
-
Application Security:
- Code Review: Audit ADSSP for session management flaws.
- Web Application Firewall (WAF): Block exploitation attempts (e.g., SQLi, auth bypass patterns).
-
Incident Response Planning:
- Assume Breach: Prepare for DC compromise scenarios.
- Token Revocation: Invalidate stolen DC session tokens via:
klist purge(Kerberos tickets).- Restarting the DC (if necessary).
5. Impact on the Cybersecurity Landscape
Strategic Implications
-
High Risk to Enterprises:
- ADSSP is widely used in enterprise AD environments, making this a high-value target for APTs and ransomware groups.
- No vendor acknowledgment increases risk of unpatched systems.
-
Exploitation in the Wild:
- PoC availability (GitHub) suggests imminent weaponization.
- Likely to be chained with other AD exploits (e.g., Zerologon, PrintNightmare).
-
Regulatory & Compliance Risks:
- GDPR, HIPAA, SOX: Unauthorized AD access may lead to data breaches and fines.
- CISA KEV Catalog: If added, federal agencies must patch within 2 weeks.
Threat Actor Interest
- APT Groups: Likely to exploit for espionage (e.g., stealing credentials, lateral movement).
- Ransomware Operators: Could use for initial access (e.g., LockBit, BlackCat).
- Cybercriminals: May sell access to compromised AD environments.
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from improper session token validation in ADSSP’s authentication mechanism. Key technical observations:
-
Session Token Handling:
- ADSSP may fail to validate token integrity or enforce expiration.
- Tokens may be predictable or reusable (e.g., JWT without proper signing).
-
Authentication Bypass:
- A malformed request (e.g., missing parameters, manipulated headers) could trick ADSSP into granting access.
- Possible race condition or logic flaw in the auth handler.
-
DC Session Token Exposure:
- The token may be stored in memory or transmitted in cleartext (e.g., via cookies or API responses).
- Lack of encryption or weak cryptographic protections could allow theft.
Exploitation Proof-of-Concept (PoC) Analysis
The referenced GitHub PoC likely demonstrates:
- Authentication Bypass:
- Sending a crafted HTTP request to
/selfservice/loginwith invalid/missing credentials but a manipulated session ID.
- Sending a crafted HTTP request to
- Token Extraction:
- Parsing the response for a DC session token (e.g., in
Set-Cookieheaders or JSON payloads).
- Parsing the response for a DC session token (e.g., in
- DC Impersonation:
- Using the token to authenticate to AD (e.g., via LDAP or Kerberos).
Detection & Forensic Indicators
| Indicator | Description |
|---|---|
| Network Traffic | Unauthenticated POST /selfservice/login requests. |
| Log Entries | ADSSP logs showing successful logins without credentials. |
| Memory Artifacts | DC session tokens in ADSSP process memory (e.g., via procdump). |
| AD Event Logs | Event ID 4624 (successful logon) from non-DC IPs using DC credentials. |
| Kerberos Tickets | Unusual TGT/TGS requests from the ADSSP server. |
Mitigation Verification
- Penetration Testing:
- Attempt to reproduce the PoC in a lab environment.
- Verify if upgrading to 6114+ resolves the issue.
- Log Review:
- Check for unexpected authentication successes in ADSSP logs.
- Token Validation:
- Use Burp Suite or OWASP ZAP to test session token handling.
Conclusion & Recommendations
CVE-2023-35854 represents a critical authentication bypass in Zoho ManageEngine ADSelfService Plus, enabling unauthenticated attackers to impersonate Domain Controllers and gain Domain Admin privileges. Given the high CVSS score (9.8), PoC availability, and enterprise adoption of ADSSP, this vulnerability poses a severe risk to organizations.
Immediate Actions for Security Teams:
- Patch or Upgrade ADSSP to the latest version (if available).
- Restrict Network Access to ADSSP (port 8888/TCP).
- Monitor for Exploitation via SIEM/EDR alerts.
- Assume Compromise if ADSSP is exposed and unpatched.
- Engage Zoho Support for clarification on the vulnerability status.
Long-Term Strategies:
- Enhance AD Security (LDAP signing, MFA, least privilege).
- Implement Zero Trust for ADSSP access.
- Conduct Red Team Exercises to test AD resilience.
Final Note: Given Zoho’s disputed stance on this CVE, organizations should treat this as a zero-day until official confirmation or a patch is released. Proactive monitoring and hardening are essential to mitigate potential attacks.