Researchers have found multiple critical flaws in the IT help desk software ManageEngine, made by Zoho Corp. In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine’s SaaS suite of applications.

According to researchers at Digital Defense that found the flaws, each of the bugs are application layer vulnerabilities, which reside in the web-rpc services of the affected software suites. Researchers there published a blog on Wednesday outlining their findings.

Digital Defense’s Vulnerability Research Team said vulnerabilities included unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration flaws. Each of them, according to researchers, can potentially reveal sensitive information or can lead to a full compromise of the application.

“These flaws can be generalized as application failures that do not properly sanitize user input, resulting in a sequence that can allow a hacker to execute remote code on targeted systems,” said Mike Cotton, vice president of engineering at Digital Defense.

Digital Defense discovered and notified Zoho of the vulnerabilities in November. ManageEngine and Digital Defense have coordinated disclosure of the vulnerabilities, with ManageEngine patches available for each of the seven flaws available today. ManageEngine is separate from Zoho One, a seperate suite of SaaS applications. Both ManageEngine and Zoho One are owned by Zoho Corp.

Affected ManageEnging applications include ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.

“They are all bad and critical flaws,” Cotton said. “But the Service Plus (vulnerability) is one companies are going to want to watch out for. We have seen a lot of instances of companies making these interfaces available externally on the internet.”

He added, those types of configuration scenarios give attackers a very “direct non-firewall attack path to gain a foothold on key infrastructure right away.”

According to researchers, the Service Plus vulnerability can be triggered via a servlet (CmClientUtilServlet) that can be accessed without authentication. Simply put, that allows attackers to specially craft a request to the application to “moveAttachments” to a remote directory without checking the file extension.

“This (method) can be leveraged to upload a JSP web shell, that can be used to run commands as SYSTEM, fully compromising the host running the ServiceDesk Plus application,” researchers said.

Categories: Cloud Security, Vulnerabilities

Comments (6)

  1. Ted
    1

    I’m assuming they were possibly hacked then today? I just received an email that my password has been changed. Or maybe it’s a security update? Hmmm…

    Reply
  2. Bob
    3

    Same here, can’t recall that I had an account to be honest. Reset the password again (this time by me) and saw no login activity. Closed the account.

    Reply
  3. ManageEngine
    4

    Digital Defence responsibly disclosed these vulnerabilities to ManageEngine in November of 2017. Shortly afterwards, our security and development teams got in touch with them to gather more information and initiate remedial measures. At ManageEngine, we accord the highest priority to the security of our applications, and have released patches for all affected products.
    Learn more at https://goo.gl/47dQfR.
    Please note that these vulnerabilities in ManageEngine applications have no bearing on Zoho’s SaaS infrastructure.

    Reply
  4. ManageEngine
    6

    Kim, we recommend that you upgrade to the latest version of ServiceDesk Plus, 9400.

    Please download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (9400). Read the upgrade instructions carefully (https://www.manageengine.com/products/service-desk/service-packs.html#sp) before beginning the upgrade. For assistance, write to or call us toll-free at +1.888.720.9500.

    Reply

Leave A Reply to Ted Cancel Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>