Headline
Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho
Tags: ManageEngine
Tags: PoC
Tags: RCE
Tags: CVE-2022-47966
Tags: CVE-2022-35405
Tags: SAML
Tags: Apache Santuario
Proof of Concept code is about to be released for a vulnerability in many ManageEngine products which could enable RCE with SYSTEM privileges.
(Read more…)
The post Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability appeared first on Malwarebytes Labs.
Users of multiple Zoho ManageEngine products are under urgent advice to install the patch issued October 27, 2022. The advice is urgent because on January 13, 2023 the Horizon3 Attack Team tweeted that Proof of Concept (PoC) code and a deep-dive blog will be released within a week.
Mitigation
A long list of vulnerable ManageEngine products and their fixed version can be found in the ManageEngine advisory. Clicking on the URLs under Fixed Version(s) behind the affected product takes you to the update instructions for that product.
The vulnerability
The vulnerability, listed under CVE-2022-47966, is described as an unauthenticated remote code execution vulnerability. The vulnerability is caused by the use of an outdated third-party dependency, Apache Santuario. Apache Santuario is used for XML syntax and processing. The vulnerability allows a successful attacker remote code execution with SYSTEM level access, meaning the entire system could be compromised.
Zoho used Security Assertion Markup Language (SAML) to simplify the authentication process. SAML is an open standard used for authentication and based upon the Extensible Markup Language (XML) format.
According to Horizon3:
The vulnerability is easy to exploit and a good candidate for attackers to “spray and pray” across the internet.
Exploit
An attacker would need to send a specially crafted SAML request to trigger the exploit.
Please note that depending on the specific ManageEngine product, this vulnerability is exploitable if SAML single-sign-on is enabled or has ever been enabled. So, even if you do not currently have SAML enabled, you are under advice to install the patch with priority.
A Shodan scan performed by the researchers showed 5255 exposed instances of ServiceDesk Plus of which 509 have SAML enabled, and 3105 exposed instances of Endpoint Central, of which 345 have SAML enabled. At the moment we have no knowledge of active attacks against this vulnerability, but that might change rapidly once the PoC code is available.
In September, 2022, an RCE vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier) were found to be being actively exploited after several PoCs and a Metasploit module for it were made public.
IOCs
IOCs for ServiceDesk Plus, Endpoint Central, and Other ManageEngine Products can be found in the blogpost by Horizon3 about this vulnerability.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Related news
Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate
The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT. Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis
This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.
The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a
An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align
Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products, including Access
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the Endpoint Central SAML endpoint. Note that the target is only vulnerable if it is configured with SAML-based SSO, and the service should be active.
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below. Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
The latest critical bug is exploitable in dozens of ManageEngine products and exposes systems to catastrophic risks, researchers warn.
Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept (PoC) exploit code. The issue in question is CVE-2022-47966, an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. "This vulnerability allows an
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.