Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products.
ManageEngine offers more than 90 tools to help manage IT operations, including networks, servers, applications, service desk, Active Directory, security, desktops, and mobile devices. Currently, the company claims to have more than 40,000 customers, including three out of every five Fortune 500 company.
Vulnerability impact
The discovered vulnerabilities allow unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.
Affected applications include ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.
Summary:
- DDI-VRT-2018-01 – Unauthenticated File Upload via /servlets/CmClientUtilServlet
- DDI-VRT-2018-02 – Unauthenticated Blind SQL Injection via /servlets/RegisterAgent
- DDI-VRT-2018-03 – Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet
- DDI-VRT-2018-04 – Multiple Unauthenticated Blind SQL Injections via /embedWidget
- DDI-VRT-2018-05 – Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL
- DDI-VRT-2018-06 – Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler
- DDI-VRT-2018-07 – User Enumeration via /servlets/ConfServlet.
Zoho ManageEngine has addressed the vulnerabilities and is making patches available for each of the affected applications.