Security researcher Sebastian Perez has revealed eight serious security vulnerabilities in ManageEngine Password Manager Pro (PMP), a password management software for enterprises, and has released details and PoC code for each of them.
The solution has already been updated with fixes, so if your enterprise is using it to control the access to shared administrative/privileged passwords, you should update to the latest version and build (v8.3, build 8303) as soon as possible (if you haven’t already).
According to ManageEngine’s website, the software is used by the IT divisions of some of the world’s largest organizations and Fortune 500 companies, including Walmart, EMC2, VMWare and NASA.
Vulnerable versions include 8.1 to 8.3 and probably earlier versions.
The issues encompass privilege escalation, business login and password policy bypass, user enumeration and stored XSS flaws, as well as a partially fixed vulnerability that could be exploited to perform cross-site request forgery.
Among the released PoC attack code is an exploit that takes advantage of one of the privilege escalation vulnerabilities to elevate a regular user to SuperAdmin and then download the passwords and files stored within the application.
More details about the vulnerabilities and the PoC exploits can be found in this post on the Bugtraq mailing list.
Perez, who is a senior penetration tester with EPAM Systems, notified ManageEngine about the flaws in July 2015, and it took them until December 2015 to push out all the fixes.