Published:2016/09/29  Last Updated:2016/09/29

JVN#72559412
ManageEngine ServiceDesk Plus uses an insecure method for cookie generation

Overview

ManageEngine ServiceDesk Plus provided by Zoho Corporation uses an insecure method for generating cookies.

Products Affected

  • ManageEngine ServiceDesk Plus versions prior to 9.2

Description

ManageEngine ServiceDesk Plus provided by Zoho Corporation is a help desk software. ManageEngine ServiceDesk Plus uses an insecure method for generating cookies.

Impact

If an attacker obtains a user's cookie, the password contained in the cookie can be easily guessed.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
Zoho Corporation ServiceDesk Plus 9.2 ReadMe

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 3.7
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:N/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Akihito Mukai and Tomoshige Hasegawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-4890
JVN iPedia JVNDB-2016-000171