Critical ManageEngine Desktop Server Bug Opens Orgs to Malware

Zoho’s comprehensive endpoint-management platform suffers from an authentication-bypass bug (CVE-2021-44757) that could lead to remote code execution.

A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.

The bug (CVE-2021-44757) could allow a remote user to “perform unauthorized actions in the server,” according to the company’s Monday security advisory. “If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.”

Zoho’s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company’s documentation. It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more.

Infosec Insiders Newsletter

On the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality.

As such, the platform offers far-reaching access into the guts of an organization’s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the ability to install a .ZIP file paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.

In the case of the MSP version – which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers – the bug could be used in a supply-chain attack. Cybercriminals can simply compromise one MSP’s Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.

Zoho ManageEngine released a Knowledge Base entry detailing patches on Monday, and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article.

Zoho ManageEngine: Popular for Zero-Day Attacks

The company didn’t say whether the bug has been under attack as a zero-day vulnerability, but it’s a good bet that cyberattackers will start targeting it for exploit if they haven’t already. The ManageEngine platform is a popular one for attackers, given its all-seeing nature.

This played out in September, for instance, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users’ Active Directory (AD) and cloud accounts. But it was under active attack even before it was fixed, according to the Cybersecurity and Infrastructure Security Agency (CISA).

In December, the FBI even went so far as to issue an official alert after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group. That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges – with an ultimate goal of dropping malware onto organizations’ networks.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.


Suggested articles