Zoho Patches Remote Code Execution Vulnerability Affecting Multiple ManageEngine Products (CVE-2022-47966)

A critical remote code execution vulnerability has been discovered in multiple Zoho ManageEngine products. Tracked as CVE-2022-47966, this vulnerability affects 24 products of ManageEngine. Successful exploitation of this vulnerability may allow an attacker to perform remote code execution. 

Khoadha of Viettel Cyber Security has discovered this vulnerability via Zoho Bug Bounty program. 
Zoho ManageEngine offers enterprise IT management software for service management, operations management, Active Directory, and security needs. This tool provides a wide range of IT management solutions, such as keeping 
business safe, ensuring high availability, and providing customer satisfaction. 
CVE-2022-47966 is an unauthenticated, remote code execution vulnerability arising from the usage of an outdated third-party dependency, Apache Santuario, in Zoho ManageEngine products. Target systems will only be vulnerable if SAML SSO is/was enabled in the ManageEngine setup.
If SAML-based SSO was configured during ManageEngine setup and is currently active, then it will affect the following products: 

  • PAM 360 
  • OS Deployer 
  • Endpoint DLP 
  • Analytics Plus 
  • Endpoint Central 
  • Key Manager Plus 
  • Device Control Plus 
  • Remote Access Plus 
  • Patch Manager Plus 
  • Access Manager Plus 
  • Browser Security Plus 
  • Endpoint Central MSP 
  • Password Manager Pro 
  • Application Control Plus 
  • Vulnerability Manager Plus 

If SAML-based SSO was configured at least once in the past, regardless of the current SAML-based SSO status, then it will affect the following products:

  • ADAudit Plus 
  • Asset Explorer 
  • ADManager Plus 
  • ServiceDesk Plus 
  • ADSelfService Plus 
  • SupportCenter Plus 
  • Active Directory 360 
  • ServiceDesk Plus MSP 

SAML Information Flow

SAML (Security Assertion Markup Language) supports single sign-on and is used as an authorization solution by enterprise organizations. The SAML Identity Provider receives the authentication request from the user when they log into a remote service. The SAML Identity Provider will then check the user’s credentials to ensure they’re correct and authorized to access the specified service. The client receives a response from the Identity Provider, which is then passed to the Service Provider.

SAML relies on XML signatures & XML Encryption to check if the message comes from the identity provider. The information flow uses the client’s browser to relay all information between the Service Provider (SP) and the Identity Provider (IDP). 

XML Signature Validation

XML Signature validation is performed in two steps. First is Reference Validation, which checks that each <Reference> element within the <SignedInfo> has a valid digest value. The second is Signature Validation, which cryptographically validates the <SignedInfo> element to ensure that the element has not been tampered with. 

Although reference validation is followed by signature validation in the official XML signature validation spec lists, these two processes can be carried out in any sequence. One should always perform signature validation as the first step to ensure that the transforms come from a reliable source. The reference validation step can involve processing attacker-controlled XML Transforms. 

Vulnerability Exploit: SAML Validation Order 

SAML information flow enables an attacker to add or modify the SAML data while in transit. The first attack stage for this issue will include exploiting the verification order. In the older version of xmlsec, the reference validation is performed at the top, while, in the newer version, the reference signature is moved to the end of the function after the signature verification. 

Vulnerability Exploit: XSLT Injection 

Each <Reference> element can contain a <Transform> element, which is responsible for describing how to modify an element before calculating its digest. The transforms allow for arbitrarily complex operations using XSL Transformations (XSLT). 

In the ManageEngine environment, the turing-complete language XSLT can run any Java code. One can take advantage of this vulnerability in ManageEngine products to obtain remote code execution by abusing the sequence of SAML validation in older versions of Apache Santuario and Java’s XSLT library, which gives access to run any Java classes. 

Affected versions  
The vulnerability affects the following products and versions:

Product Name  Impacted Version(s) 
Access Manager Plus  4307 and below 
Active Directory 360  4309 and below 
ADAudit Plus  7080 and below 
ADManager Plus  7161 and below 
ADSelfService Plus  6210 and below 
Analytics Plus  5140 and below 
Application Control Plus  10.1.2220.17 and below 
Asset Explorer  6982 and below 
Browser Security Plus  11.1.2238.5 and below 
Device Control Plus  10.1.2220.17 and below 
Endpoint Central  10.1.2228.10 and below 
Endpoint Central MSP  10.1.2228.10 and below 
Endpoint DLP  10.1.2137.5 and below 
Key Manager Plus  6400 and below 
OS Deployer  1.1.2243.0 and below 
PAM 360  5712 and below 
Password Manager Pro  12123 and below 
Patch Manager Plus  10.1.2220.17 and below 
Remote Access Plus  10.1.2228.10 and below 
Remote Monitoring and Management (RMM)  10.1.40 and below 
ServiceDesk Plus  14003 and below 
ServiceDesk Plus MSP  13000 and below 
SupportCenter Plus  11017 to 11025 
Vulnerability Manager Plus  10.1.2220.17 and below 

Zoho has patched the vulnerability by updating the third-party module to the recent version.  
Customers should upgrade to the fixed versions mentioned below:  

Product Name  Patched Version
Access Manager Plus  4308 
Active Directory 360  4310 
ADAudit Plus  7081 
ADManager Plus  7162 
ADSelfService Plus  6211 
Analytics Plus  5141 
Application Control Plus  10.1.2220.18 
Asset Explorer  6983 
Browser Security Plus  11.1.2238.6 
Device Control Plus  10.1.2220.18 
Endpoint Central  10.1.2228.11 
Endpoint Central MSP  10.1.2228.11 
Endpoint DLP  10.1.2137.6 
Key Manager Plus  6401 
OS Deployer  1.1.2243.1 
PAM 360  5713 
Password Manager Pro  12124 
Patch Manager Plus  10.1.2220.18 
Remote Access Plus  10.1.2228.11 
Remote Monitoring and Management (RMM)  10.1.41 
ServiceDesk Plus  14004 
ServiceDesk Plus MSP  13001 
SupportCenter Plus  11026 
Vulnerability Manager Plus  10.1.2220.18 

 For more information, please refer to the Zoho ManageEngine Security Advisory 
Qualys Detection  
Qualys customers can scan their devices with QIDs 377892 and 730708 to detect vulnerable assets.  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
NOTE: We will update the post once the Proof of Concept is made publicly available.


Leave a Reply

Your email address will not be published. Required fields are marked *