top of page

ManageEngine OpManager getUserAPIKey Authentication Bypass (CVE-2022-36923)



Application Details

ManageEngine OpManager is a comprehensive network monitoring software that provides network administrators with an integrated console for managing routers, firewalls, servers, switches, and printers.


Vulnerability

The lack of proper request handling mechanism had resulted in unauthenticated access of the user API key. Anyone can retrieve the API key of a valid user without authentication and can access the external APIs.


Identification

By sending a specially crafted request, an attacker could exploit this vulnerability to obtain the user API key information and then access external APIs.

POST /RestAPI/getAPIKey
PAYLOAD - operation=getUserAPIKey&username=admin&domainname=-&HANDSHAKE_KEY=ppppppppppppppppppppppppppppppppppppppppppppppppp

Detection

By turning this into a traffic file and matching rule, we are able to detect attempts by unauthenticated attackers to obtain a user's API key and gain unauthorised access to the application.


Coverage

Idappcom has created signature 8023052 along with a traffic file for this vulnerability.


References


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability, or others, why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional

コメント


bottom of page