ManageEngine vulnerability posed code injection risk for password management software

2 years ago 175
BOOK THIS SPACE FOR AD
ARTICLE AD

Emma Woollacott 09 September 2022 at 12:46 UTC

Authentication-free flaw opened the door to a raft of exploits

A vulnerability in ManageEngine has been resolved

A researcher has discovered a vulnerability in ManageEngine that could allow an attacker to execute arbitrary code on affected installations of some of its password and access management tools.

ManageEngine offers enterprise IT management software for service management, operations management, Active Directory, and security, and is used by 280,000 organizations in 190 countries.

Thanks to the use of a vulnerable version of Apache OFBiz, a Java-based open source enterprise resource planning (ERP) system, remote attackers could have executed arbitrary code on vulnerable installations of Password Manager Pro, access management tool PAM360, and Access Manager Plus, according to GitHub security researcher Alvaro Muñoz.

Catch up on the latest security research news

No authentication would have been needed to exploit this vulnerability in Password Manager Pro or PAM360 products. In the case of Password Manager Pro, an attacker would be able to enter internal networks, compromise data on the server, or crash or shutdown the whole server and applications.

The vulnerable version of Apache OFBiz, dating back to 2020, exposes an XMLRPC endpoint, which is unauthenticated as authentication is only applied on a per-service basis.

However, when the XMLRPC request is processed before authentication, any serialized arguments for the remote invocation are deserialized.

This, according to Muñoz, means that if the classpath contains any classes that can be used as gadgets to achieve remote code execution (RCE), an attacker would be able to run arbitrary system commands on any OfBiz server with the same privileges as the servlet container running OfBiz.

Muñoz reported the issue – tracked as CVE-2020-9496 – to ManageEngine on 21 June, and it was acknowledged the same day. The vulnerability was resolved in a new release issued three days later.

"I’d like to thank the security community, although I can’t disclose vulnerability information, there were some researchers who managed to go after it and come up with a working poc [proof of concept], exploits and Metasploit modules," he said.

RELATED LastPass flags security incident after attackers stole source code, technical information

Read Entire Article