CVE-2023-35719 Overview
CVE-2023-35719 is an authentication bypass vulnerability in ManageEngine ADSelfService Plus GINA Client that allows physically present attackers to execute arbitrary code on affected installations. The vulnerability stems from insufficient verification of data authenticity in the Password Reset Portal used by the GINA client. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Password Reset Portal component. The issue results from the lack of proper authentication of data received via HTTP. An attacker with physical access can leverage this vulnerability to bypass authentication mechanisms and execute code in the context of SYSTEM, resulting in complete compromise of the affected system.
Critical Impact
Physical attackers can bypass authentication and execute arbitrary code with SYSTEM privileges, leading to complete system compromise without requiring any prior authentication.
Affected Products
- ManageEngine ADSelfService Plus (version 6.1 build 6122 and earlier)
- Zohocorp ManageEngine ADSelfService Plus GINA Client component
- Systems with Password Reset Portal functionality enabled
Discovery Timeline
- 2023-09-06 - CVE-2023-35719 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-35719
Vulnerability Analysis
This vulnerability falls under CWE-345 (Insufficient Verification of Data Authenticity), indicating a fundamental flaw in how the application validates the legitimacy of incoming data. The GINA (Graphical Identification and Authentication) client is a Windows credential provider that integrates with the Windows login screen to allow users to reset their passwords directly from the login interface.
The vulnerability exists because the Password Reset Portal component fails to properly authenticate data received over HTTP connections. When a user interacts with the password reset functionality from the Windows login screen, the GINA client communicates with the ADSelfService Plus server. However, due to the lack of proper data authentication, an attacker with physical access to the machine can intercept or manipulate this communication to inject malicious payloads.
The attack requires physical proximity to the target system, which limits the attack surface compared to network-based vulnerabilities. However, the ability to achieve SYSTEM-level code execution without any authentication makes this a serious concern for environments where physical security may be compromised, such as shared workstations, kiosks, or publicly accessible terminals.
Root Cause
The root cause of CVE-2023-35719 is the insufficient verification of data authenticity in the GINA client's communication with the Password Reset Portal. The application fails to implement proper authentication mechanisms for HTTP data received from the server, allowing an attacker to inject or manipulate responses. This lack of cryptographic verification or proper data validation enables the authentication bypass and subsequent code execution.
Attack Vector
The attack requires physical access to a system running the vulnerable GINA client. The attacker can position themselves to intercept network traffic between the GINA client and the ADSelfService Plus server, or perform a man-in-the-middle attack on the local network. By manipulating the HTTP responses from the Password Reset Portal, the attacker can inject malicious code that executes with SYSTEM privileges.
The attack flow involves:
- Physical access to a workstation with the vulnerable GINA client installed
- Initiating a password reset request from the Windows login screen
- Intercepting or manipulating the HTTP communication between the GINA client and server
- Injecting malicious payloads that bypass authentication checks
- Achieving code execution in the SYSTEM context
For detailed technical information about the exploitation mechanism, refer to the Zero Day Initiative Advisory ZDI-23-891 which originally disclosed this vulnerability as ZDI-CAN-17009.
Detection Methods for CVE-2023-35719
Indicators of Compromise
- Unexpected processes spawning from the GINA client credential provider at the Windows login screen
- Anomalous HTTP traffic from workstations during password reset operations
- Suspicious SYSTEM-level process creation events occurring during login screen interactions
- Evidence of network interception tools or ARP spoofing on local network segments
Detection Strategies
- Monitor for unusual process creation events with SYSTEM privileges originating from credential provider DLLs
- Implement network monitoring to detect potential man-in-the-middle attacks on HTTP traffic from GINA clients
- Deploy endpoint detection rules to identify suspicious activity at the Windows login screen
- Review Windows Event Logs for anomalous authentication events during password reset workflows
Monitoring Recommendations
- Enable enhanced logging for the ADSelfService Plus GINA client component
- Implement network segmentation to isolate password reset traffic and enable inspection
- Deploy SentinelOne Singularity to detect and prevent unauthorized code execution at the endpoint level
- Monitor for ARP spoofing or network interception attempts on local network segments
How to Mitigate CVE-2023-35719
Immediate Actions Required
- Update ManageEngine ADSelfService Plus to the latest patched version immediately
- Review physical security controls for workstations with GINA client installed
- Audit systems for signs of compromise, particularly those in physically accessible locations
- Consider temporarily disabling the GINA client on high-risk systems until patching is complete
Patch Information
ManageEngine has released a security update to address this vulnerability. Administrators should consult the ManageEngine CVE-2023-35719 Response for official patch information and upgrade instructions. Organizations should prioritize patching systems in environments where physical security controls may be limited.
Workarounds
- Enforce HTTPS with proper certificate validation for all GINA client communications where supported
- Implement network-level controls to prevent man-in-the-middle attacks on password reset traffic
- Restrict physical access to workstations running the vulnerable GINA client component
- Consider disabling the GINA client Password Reset Portal functionality until a patch can be applied
- Deploy endpoint protection solutions capable of detecting unauthorized SYSTEM-level code execution
# Verify ADSelfService Plus GINA client version
# Check installed version in Windows Registry
reg query "HKLM\SOFTWARE\ZOHO Corp\ADSelfService Plus" /v Version
# Review GINA client installation status
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" /s | findstr -i "adselfservice"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
