Hackers can exploit security flaws in ManageEngine software to gain administrator-type control of the system.
Digital Defense Inc., a San Antonio-based IT security firm has identified multiple security flaws in ManageEngine’s IT management software that companies use for the management of their IT infrastructure. The Vulnerability Research Team (VRT) at Digital Defense Inc., stated that there are seven vulnerabilities in several Zoho ManageEngine products allowing unauthenticated file upload, blind SQL injection, authenticated remote code execution, and user enumeration, potentially revealing sensitive information or full compromise of the application.
According to Digital Defense’s official blog post, an attacker can compromise the system by simple modification of the configuration file. The flaws were previously undisclosed and exploiting them would allow an attacker to gain administrator-type control of the system. The list of affected products includes “ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils, and NetFlow Analyzer.”
ManageEngine is a subsidiary of Zoho Corporation and is based in Pleasanton, California; it is quite popular among enterprises as over 60% of Fortune 500 firms use its products with over 40,000 customers worldwide. The company has footprints across the globe with offices located in China, Japan, India, and Singapore apart from the United States.
According to the official website of ManageEngine “Three of every five Fortune 500 companies trust us to manage their IT” which indicates that 3 out of 5 Fortune 500 companies are currently vulnerable.
A full list of ManageEngine’s customers is available here.
The flaws were identified when researchers at Digital Defense were carrying out a penetration test for a customer to assess the security of the business and identify vulnerabilities. During the course of their research, they found multiple flaws of critical nature in the IT help desk software ManageEngine. In total seven flaws were identified, each of them allowing the attacker full control of host servers that ran Zoho’s SaaS suite of applications.
Moreover, the flaws happen to be application-level vulnerabilities present in the web-RPC services of the impacted software suites. Vulnerabilities included unauthenticated file upload, authenticated remote code execution, blind SQL injection, and user enumeration flaws. Researchers were concerned that these flaws can easily reveal sensitive user data and also let the application be fully compromised.
Mike Cotton, vice president of engineering at Digital Defense, said that: “These flaws can be generalized as application failures that do not properly sanitize user input, resulting in a sequence that can allow a hacker to execute remote code on targeted systems.”
Zoho Corp. was notified about the flaws by Digital Defense in November 2017 and the company also coordinated exposure of the flaws. ManageEngine has stated that fixes are available for all the seven affected applications. Cotton further noted that the flaws are “bad and critical,” but the vulnerability in Service Plus is the one companies need to watch out for.
“We have seen a lot of instances of companies making these interfaces available externally on the internet,” Cotton stated and further added that such kinds of configuration scenarios allow attackers a direct non-firewall attack route to obtain control of key infrastructure almost instantaneously. Researchers explained that the Service Plus vulnerability is triggered by a servlet (CmClientUtilServlet), which does not require authentication to be accessed. This lets attackers create a request to the application such as move attachment without checking the extension of the file.
“This (method) can be leveraged to upload a JSP web shell, that can be used to run commands as SYSTEM, fully compromising the host running the ServiceDesk Plus application,” researchers wrote in their blog post.