Multiple Critical Flaws Found in Zoho’s ManageEngine

Researchers have discovered critical vulnerabilities in Zoho’s ManageEnging suite that can lead to data loss and possible remote code execution.

Researchers have found multiple critical flaws in the IT help desk software ManageEngine, made by Zoho Corp. In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine’s SaaS suite of applications.

According to researchers at Digital Defense that found the flaws, each of the bugs are application layer vulnerabilities, which reside in the web-rpc services of the affected software suites. Researchers there published a blog on Wednesday outlining their findings.

Digital Defense’s Vulnerability Research Team said vulnerabilities included unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration flaws. Each of them, according to researchers, can potentially reveal sensitive information or can lead to a full compromise of the application.

“These flaws can be generalized as application failures that do not properly sanitize user input, resulting in a sequence that can allow a hacker to execute remote code on targeted systems,” said Mike Cotton, vice president of engineering at Digital Defense.

Digital Defense discovered and notified Zoho of the vulnerabilities in November. ManageEngine and Digital Defense have coordinated disclosure of the vulnerabilities, with ManageEngine patches available for each of the seven flaws available today. ManageEngine is separate from Zoho One, a seperate suite of SaaS applications. Both ManageEngine and Zoho One are owned by Zoho Corp.

Affected ManageEnging applications include ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.

“They are all bad and critical flaws,” Cotton said. “But the Service Plus (vulnerability) is one companies are going to want to watch out for. We have seen a lot of instances of companies making these interfaces available externally on the internet.”

He added, those types of configuration scenarios give attackers a very “direct non-firewall attack path to gain a foothold on key infrastructure right away.”

According to researchers, the Service Plus vulnerability can be triggered via a servlet (CmClientUtilServlet) that can be accessed without authentication. Simply put, that allows attackers to specially craft a request to the application to “moveAttachments” to a remote directory without checking the file extension.

“This (method) can be leveraged to upload a JSP web shell, that can be used to run commands as SYSTEM, fully compromising the host running the ServiceDesk Plus application,” researchers said.