ADVISORY!
TLP : CLEAR
Date : 04/03/2024
REF NO : CERT / 2024/03/17
ManageEngine Password Manager Pro Multiple Vulnerabilities
Severity Level: Medium
Components Affected
- ManageEngine Password Manager Pro prior to version 12.4 (Build-12420)
Overview
Multiple vulnerabilities were identified in ManageEngine Password Manager Pro. A remote attacker could exploit some of these vulnerabilities to trigger security restriction bypass, data manipulation, cross-site scripting and sensitive information disclosure on the targeted system.
Description
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers.
Impact
- Information Disclosure
- Data Manipulation
- Cross-Site Scripting
- Security Restriction Bypass
Solution/ Workarounds
Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes issued by the vendor:
- Update to version 12.4 (Build-12420) or later
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
