Yahoo researchers chain exploits in NetIQ iManager to allow Remote Code Execution

Yahoo's Paranoid vulnerability research team has discovered 11 security vulnerabilities within OpenText's NetIQ iManager, an enterprise directory management tool.

OpenText's NetIQ iManager is a web-based administrative console designed for managing directory services, primarily used with NetIQ eDirectory, allowing centralized control over user identities, group policies, and network configurations across an enterprise from a single interface​

The vulnerabilities include cross-site request forgery (CSRF), server-side request forgery (SSRF), remote code execution (RCE), authentication bypass, arbitrary file upload, file disclosure, and privilege escalation. Collectively, they could allow attackers to compromise iManager remotely.

OpenText patched these vulnerabilities in version 3.2.6.0300 in April 2024, and Yahoo has since disclosed the technical details of four key vulnerabilities, including:

• CVE-2024-3487 (CVSS score 3.5) - Authentication Bypass - An authentication bypass flaw allows unauthenticated attackers to gain access by manipulating session states through the fw_authState parameter.

• CVE-2024-3483 (CVSS score 7.8) - Command Injection - A command injection flaw in the checkForLocaleDirectory() method enables attackers to execute arbitrary commands by injecting filenames containing malicious code.

• CVE-2024-3488 (CVSS score 5.6) - Arbitrary File Upload - This vulnerability allows attackers to upload arbitrary files to specific locations on the server, laying the groundwork for further exploits such as RCE when combined with CVE-2024-3483.

• CVE-2024-4429 (CVSS score 5.4) CSRF Validation Bypass - This flaw circumvents iManager’s CSRF protections through specific request parameters and bypass techniques, enabling attackers to carry out requests on behalf of authenticated users.

If chained, these vulnerabilities would enable attackers to bypass authentication and execute arbitrary code on iManager servers. By manipulating an authenticated session, attackers could gain control of administrative functions, extract administrator credentials, and act on behalf of a user.

Through a multi-step chain, attackers could leverage these vulnerabilities to compromise an iManager instance by:

1. Using CVE-2024-3487 to bypass authentication.
2. Utilizing CVE-2024-3488 to upload malicious files.
3. Exploiting CVE-2024-3483 to achieve RCE via crafted file paths.
4. Employing CVE-2024-4429 to circumvent CSRF protections, thereby executing commands within the compromised iManager environment.

Users are advised to patch their OpenText's NetIQ iManager as soon as possible.