Abstract Advisory Information


Security issue affecting the product DataSecurity Plus.

DataSecurity Plus is a software that helps company to address enterprise’s data security needs regarding Data Discovery, File Server Auditing and Storage Analysis.

2 services exposed by the software allows a basic user (“Operator” access level) to:

– Use service as a relay to perform a discovery operation (machine availability and open ports state) targeting machines located in the same internal network.

– Access the configuration file of the mail server (excepting the password).

Author: Dominique Righetto

Version affected


Vendor: Manage Engine

Name: DataSecurity Plus

Version: 5.0.1 Build 5011 and previous versions

Common Vulnerability Scoring System


4.3

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Patches


5.0.1 Build 5012

References


https://www.manageengine.com/data-security/release-notes.html

Vulnerability Disclosure Timeline


  • 09/07/2019: vulnerability discovered.
  • 10/07/2019: First Contact to Vendor
  • 06/08/2019: Request for updates, no answers
  • 26/08/2019: Request for updates, no answers
  • 04/09/2019: Request for updates, no answers
  • 12/09/2019: Vendor confirmed the fix creation
  • 26/09/2019: Request for updates, no answers
  • 01/10/2019: Request for updates, no answers
  • 03/10/2019: Fix released by vendor (5012)
  • 03/10/2019: Mitre CVE-ID request CVE-2019-17112.
  • 07/10/2019: Public disclosure