CVE-2023-6105: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-6105) was discovered in multiple ManageEngine products, reported in November 2023. The vulnerability allows encryption keys to be exposed when a low-privileged OS user has access to the host where an affected ManageEngine product is installed. This user can view and use the exposed key to decrypt product database passwords, ultimately gaining access to the ManageEngine product database (Tenable Advisory, ManageEngine Advisory).

The vulnerability stems from improper folder permissions in multiple ManageEngine products. An encryption key is stored in the 'CryptTag' configuration in \conf\customer-config.xml, and the database usernames and passwords can be found in \conf\database_params.conf. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (Tenable Advisory).

When exploited, this vulnerability allows attackers to run OS commands with privileges of the user account running the database server (usually SYSTEM or other administrative accounts), modify the database to reset administrative user passwords, and view sensitive data contents. The vulnerability specifically impacts the ability to decrypt product database passwords, potentially compromising the entire ManageEngine product database (Tenable Advisory).

ManageEngine has released patches for all affected products. Users are advised to upgrade to the fixed versions provided in the security advisory. For example, Access Manager Plus users should upgrade to version 4312, ADAudit Plus to version 7251, and ADManager Plus to version 7210. The complete list of fixed versions is available in the vendor's security advisory (ManageEngine Advisory).