Zoho has patched a new critical vulnerability that affects the company’s unified endpoint management (UEM) solutions Desktop Central and Desktop Central MSP.
Zoho ManageEngine Desktop Central is a desktop and mobile device management software. Administrators can manage servers, laptops, desktops, cellphones, and tablets from one place with this tool.
Zoho launched the updated versions of Desktop Central and Desktop Central MSP, which address the security hole identified as CVE-2021-44757.
On the vulnerability notifications page, Zoho states that this is an authentication bypass vulnerability that can allow a remote user to perform unauthorized actions on the server. The successful exploitation of this vulnerability may allow an attacker to read unauthorized data or write an arbitrary zip file on the server.
In early December, Zoho patched another critical vulnerability (CVE-2021-44515) that could allow threat actors to bypass authentication and execute arbitrary code on unpatched ManageEngine Desktop Central servers.
Multiple APT organizations have been exploiting the CVE-2021-44515 vulnerability since late October 2021, according to the FBI’s Cyber Division, which confirmed Zoho’s ongoing exploitation notice last December.
This isn’t the first time in recent months that Zoho ManageEngine servers have been targeted in cyber-attacks. The attackers have targeted and breached networks belonging to critical infrastructure organizations around the world by using:
- ADSelfService Plus authentication bypass vulnerability (CVE-2021-40539)
- ManageEngine ServiceDesk Plus and SupportCenter Plus Unauthenticated Remote Code Execution (CVE-2021-44077)
Affected versions
The following versions of Zoho ManageEngine Desktop Central and Desktop Central MSP are prone to this vulnerability:
- For Enterprise:
- Builds prior to 10.1.2137.9
- For MSP:
- Builds prior to 10.1.2137.9
Mitigation
Here are the upgrades released by Zoho:
- For Enterprise:
- Builds prior to 10.1.2137.9
- For MSP:
- Builds prior to 10.1.2137.9
To apply this fix, perform the following step:
-
- Log in to your Desktop Central console, click on your current build number on the top right corner.
- You will be able to find the latest build applicable to you. Download the PPM and update.
Refer to the following advisories for more information:
Qualys Detection
Qualys customers can scan their devices with QID 730334 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://www.manageengine.com/products/desktop-central/cve-2021-44757.html
https://www.manageengine.com/desktop-management-msp/cve-2021-44757.html
https://www.bleepingcomputer.com/news/security/zoho-plugs-another-critical-security-hole-in-desktop-central/
https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022