Abstract Advisory Information
The service to test the mail server configuration suffers from an authorization issue allowing a user with the “Guest” role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment.
Author: Dominique Righetto
Version affected
Name: Remote Access Plus
Versions: 10.0.447Common Vulnerability Scoring System
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NPatches
Fixed in version 10.0.451
References
https://www.manageengine.com/remote-desktop-management/knowledge-base/authorization-failure.html
Vulnerability Disclosure Timeline
- 21/10/2019: vulnerability discovered.
- 25/10/2019: First Contact to Vendor
- 29/10/2019: Vendor feedback, investigation running
- 08/11/2019: Request for updates
- 18/11/2019: Request for updates
- 18/12/2019: Request for updates
- 03/01/2020: Request for updates
- 03/01/2020: Vulnerability is fixed and release in progress
- 27/01/2020: Request for updates
- 17/02/2020: Patch is available
- 17/02/2020: Request CVE ID to Mitre
- 17/02/2020: CVE ID assigned
- 19/02/2020: Public disclosure