ManageEngine vulnerability posed code injection risk for password management software

Emma Woollacott 09 September 2022 at 12:46 UTC
Updated: 09 September 2022 at 15:28 UTC

Authentication-free flaw opened the door to a raft of exploits

UPDATED A vulnerability in ManageEngine could allow an attacker to execute arbitrary code on affected installations of some of its password and access management tools.

ManageEngine offers enterprise IT management software for service management, operations management, Active Directory, and security, and is used by 280,000 organizations in 190 countries.

Thanks to the use of a vulnerable version of Apache OFBiz, a Java-based open source enterprise resource planning (ERP) system, remote attackers could have executed arbitrary code on vulnerable installations of Password Manager Pro, access management tool PAM360, and Access Manager Plus, according to a researcher using the name viniciuspereiras.

Catch up on the latest security research news

No authentication would have been needed to exploit this vulnerability in Password Manager Pro or PAM360 products. In the case of Password Manager Pro, an attacker would be able to enter internal networks, compromise data on the server, or crash or shutdown the whole server and applications.

The vulnerable version of Apache OFBiz, dating back to 2020, exposes an XMLRPC endpoint, which is unauthenticated as authentication is only applied on a per-service basis.

However, when the XMLRPC request is processed before authentication, any serialized arguments for the remote invocation are deserialized.

This, according to the researcher, means that if the classpath contains any classes that can be used as gadgets to achieve remote code execution (RCE), an attacker would be able to run arbitrary system commands on any OfBiz server with the same privileges as the servlet container running OfBiz.

The issue – tracked as CVE-2020-9496 – was reported to ManageEngine on 21 June, and it was acknowledged the same day. The vulnerability was resolved in a new release issued three days later.

“I’d like to thank the security community, although I can’t disclose vulnerability information, there were some researchers who managed to go after it and come up with a working poc [proof of concept], exploits and Metasploit modules,” the blog post reads.

This article has been updated to include clarifications.

RELATED LastPass flags security incident after attackers stole source code, technical information