Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products.
ManageEngine offers more than 90 tools to help manage IT operations, including networks, servers, applications, service desk, Active Directory, security, desktops, and mobile devices. Currently, the company claims to have more than 40,000 customers, including three out of every five Fortune 500 company.
The discovered vulnerabilities allow unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.
Affected applications include ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.
- DDI-VRT-2018-01 – Unauthenticated File Upload via /servlets/CmClientUtilServlet
- DDI-VRT-2018-02 – Unauthenticated Blind SQL Injection via /servlets/RegisterAgent
- DDI-VRT-2018-03 – Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet
- DDI-VRT-2018-04 – Multiple Unauthenticated Blind SQL Injections via /embedWidget
- DDI-VRT-2018-05 – Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL
- DDI-VRT-2018-06 – Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler
- DDI-VRT-2018-07 – User Enumeration via /servlets/ConfServlet.
Zoho ManageEngine has addressed the vulnerabilities and is making patches available for each of the affected applications.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.