Security researchers have discovered 11 security flaws in OpenText’s NetIQ iManager, an enterprise directory management tool for secure remote access to network administration utilities. Four of the 11 vulnerabilities found can be chained together to compromise iManager remotely.
Yahoo’s Paranoid team discovered the vulnerabilities, and they’re just as dangerous on their own as they are chained together. Individually, these vulnerabilities could’ve been exploited: cross-site request forgery, server-side request forgery, remote code execution (RCE), malicious file upload, authentication bypass, file exposure, and privilege escalation. All detected vulnerabilities are as follows.
- CVE-2024-4429: Multiple CSRF Validation Bypasses
- CVE-2024-3970: Create eGuide Blind SSRF
- CVE-2024-3969: Unsafe Stylesheet Parsing Leads to Remote Code Execution
- CVE-2024-3968: Plugin Studio Installer RCE
- CVE-2024-3967: Email Configuration Unsafe Deserialization May Lead to Remote Code Execution
- CVE-2024-3488: Autoparse Arbitrary File Upload
- CVE-2024-3487: fw_authState Authentication Bypass
- CVE-2024-3486: ModulesToInstall XXE Leads to SSRF or File Disclosure
- CVE-2024-3485: Multiple Data Handler Directory Traversals Leads to File Disclosure
- CVE-2024-3484: OctetStringUpload Path Traversal Leads to Privilege Escalation or File Disclosure
- CVE-2024-3483: checkForLocaleDirectory Command Injection Leads to Remote Code Execution
Out of these flaws, CVE-2024-3483 (command injection), CVE-2024-3487 (authentication bypass), CVE-2024-3488 (arbitrary file upload), and CVE-2024-4429 (CSRF validation bypass flaw) allowed iManager’s remote compromise by tricking a user connected to their corporate network into accessing a malicious website. Researchers also showed that an attacker can access admin credentials and use them to make changes.
iManager version 3.2.6.0300, as of April 2024, addressed these issues, allowing for public disclosure by the Paranoid team. The disclosure takes a closer look at the combination attack of the four aforementioned vulnerabilities and takes a deeper look into how they can be chained. However, the patch notes for version 3.2.6.0300 only list seven vulnerabilities as resolved.
In the News: Only 9% corrections by X’s Community Notes reach users: Research