CVE-2020-11552 Overview
CVE-2020-11552 is a critical elevation of privilege vulnerability in ManageEngine ADSelfService Plus before build 6003. The vulnerability exists because the application does not properly enforce user privileges associated with a Certificate dialog. This security flaw allows an unauthenticated attacker to escalate privileges on a Windows host without requiring any existing privileges on the target system.
The attack vector leverages the self-service option available on the Windows login screen. When this option is selected, the thick-client software launches and connects to a remote ADSelfService Plus server. An attacker with physical access to the host can trigger a security alert by supplying a self-signed SSL certificate to the client. The "View Certificate" option from this security alert allows the attacker to export the displayed certificate to a file, which cascades to a dialog that can open Windows Explorer as SYSTEM. From Explorer, an attacker can navigate to \windows\system32 and launch cmd.exe as SYSTEM, achieving complete system compromise.
Critical Impact
This vulnerability enables unauthenticated attackers to gain SYSTEM-level privileges on Windows hosts through the self-service login screen functionality, potentially leading to complete system compromise.
Affected Products
- Zohocorp ManageEngine ADSelfService Plus (all versions before build 6003)
- ManageEngine ADSelfService Plus 6.0 (builds 6000, 6001, 6002)
- ManageEngine ADSelfService Plus with Windows login screen self-service option enabled
Discovery Timeline
- 2020-08-11 - CVE-2020-11552 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-11552
Vulnerability Analysis
This privilege escalation vulnerability stems from improper privilege enforcement within the Certificate dialog handling mechanism of ManageEngine ADSelfService Plus. The vulnerability is particularly dangerous because it can be exploited from the Windows login screen before any user authentication occurs.
The thick-client software launched from the Windows login screen runs with elevated privileges to facilitate self-service password reset operations. However, the application fails to properly restrict certain UI interactions when SSL certificate errors occur. The certificate export functionality opens a file save dialog that inherits the elevated privileges of the parent process, ultimately allowing access to Windows Explorer with SYSTEM privileges.
Root Cause
The root cause is classified as CWE-269 (Improper Privilege Management). The ADSelfService Plus thick-client fails to properly enforce user privilege restrictions when handling Certificate dialogs triggered by SSL certificate validation errors. The application does not adequately sandbox or restrict the capabilities of child dialogs spawned during the certificate inspection workflow, allowing privilege escalation through the file system browser interface.
Attack Vector
The attack requires physical access to a Windows host where the ADSelfService Plus self-service option is available on the login screen. The exploitation flow consists of:
- At the Windows login screen, the attacker selects the self-service password reset option
- The thick-client software launches and attempts to connect to the ADSelfService Plus server
- The attacker supplies a self-signed SSL certificate to the client, triggering a security alert
- From the security alert, the attacker selects "View Certificate"
- Using the certificate export functionality, the attacker accesses a file save dialog
- Through the file dialog, the attacker navigates to open Windows Explorer
- From Explorer running as SYSTEM, the attacker navigates to \windows\system32
- The attacker launches cmd.exe with SYSTEM privileges
The exploitation does not require network access to the target system itself, though the thick-client would normally attempt to connect to a remote server. The vulnerability allows local privilege escalation from no privileges (pre-authentication) to full SYSTEM access.
Detection Methods for CVE-2020-11552
Indicators of Compromise
- Unexpected cmd.exe or powershell.exe processes spawned as SYSTEM from the ADSelfService Plus client executable
- Windows Explorer instances running with SYSTEM privileges originating from certificate dialogs
- Suspicious file system access patterns from the Windows login screen context
- Anomalous process trees showing ADSelfService Plus spawning shell processes
Detection Strategies
- Monitor for process creation events where cmd.exe or explorer.exe is spawned with SYSTEM privileges from unexpected parent processes
- Implement endpoint detection rules to flag certificate export operations followed by shell launches from the ADSelfService Plus client
- Configure Windows event logging to capture pre-authentication privilege escalation attempts at the login screen
- Deploy behavioral analysis to detect unusual sequences of certificate handling followed by file system navigation
Monitoring Recommendations
- Enable process creation auditing (Event ID 4688) with command-line logging on systems with ADSelfService Plus client installed
- Monitor for suspicious use of the self-service login screen option outside normal business hours
- Implement SentinelOne Singularity platform for real-time detection of privilege escalation attack patterns
- Review Windows Security logs for anomalous SYSTEM-level process creation events
How to Mitigate CVE-2020-11552
Immediate Actions Required
- Upgrade ManageEngine ADSelfService Plus to build 6003 or later immediately
- Disable the self-service option on Windows login screens until patching is complete
- Restrict physical access to systems with vulnerable ADSelfService Plus installations
- Implement network segmentation to limit exposure of ADSelfService Plus servers
Patch Information
ManageEngine has released build 6003 of ADSelfService Plus which addresses this vulnerability. Administrators should download and apply the update from the official ManageEngine resources. The ManageEngine ADSelfService Plus 6003 Release Notes provide details on the security fixes included in this version.
Additional technical details and exploit information can be found in the Packet Storm RCE Advisory and the Full Disclosure Mailing List.
Workarounds
- Disable the Windows GINA/Credential Provider login screen integration for ADSelfService Plus until patching is possible
- Implement physical security controls to prevent unauthorized access to workstations
- Configure Group Policy to restrict access to the self-service functionality on sensitive systems
- Deploy endpoint protection solutions capable of detecting privilege escalation attack patterns
If immediate patching is not feasible, administrators should disable the login screen self-service option through the ADSelfService Plus administration console:
# ADSelfService Plus Admin Console Configuration
# Navigate to: Configuration > Self-Service > Login Agent Settings
# Disable the following options:
# - "Enable Windows Login Self-Service"
# - "Show Self-Service options on Windows Login Screen"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
