A critical remote code execution vulnerability has been discovered in multiple Zoho ManageEngine products. Tracked as CVE-2022-47966, this vulnerability affects 24 products of ManageEngine. Successful exploitation of this vulnerability may allow an attacker to perform remote code execution.
Khoadha of Viettel Cyber Security has discovered this vulnerability via Zoho Bug Bounty program.
Zoho ManageEngine offers enterprise IT management software for service management, operations management, Active Directory, and security needs. This tool provides a wide range of IT management solutions, such as keeping
business safe, ensuring high availability, and providing customer satisfaction.
CVE-2022-47966 is an unauthenticated, remote code execution vulnerability arising from the usage of an outdated third-party dependency, Apache Santuario, in Zoho ManageEngine products. Target systems will only be vulnerable if SAML SSO is/was enabled in the ManageEngine setup.
If SAML-based SSO was configured during ManageEngine setup and is currently active, then it will affect the following products:
- PAM 360
- OS Deployer
- Endpoint DLP
- Analytics Plus
- Endpoint Central
- Key Manager Plus
- Device Control Plus
- Remote Access Plus
- Patch Manager Plus
- Access Manager Plus
- Browser Security Plus
- Endpoint Central MSP
- Password Manager Pro
- Application Control Plus
- Vulnerability Manager Plus
If SAML-based SSO was configured at least once in the past, regardless of the current SAML-based SSO status, then it will affect the following products:
- ADAudit Plus
- Asset Explorer
- ADManager Plus
- ServiceDesk Plus
- ADSelfService Plus
- SupportCenter Plus
- Active Directory 360
- ServiceDesk Plus MSP
SAML Information Flow
SAML (Security Assertion Markup Language) supports single sign-on and is used as an authorization solution by enterprise organizations. The SAML Identity Provider receives the authentication request from the user when they log into a remote service. The SAML Identity Provider will then check the user’s credentials to ensure they’re correct and authorized to access the specified service. The client receives a response from the Identity Provider, which is then passed to the Service Provider.
SAML relies on XML signatures & XML Encryption to check if the message comes from the identity provider. The information flow uses the client’s browser to relay all information between the Service Provider (SP) and the Identity Provider (IDP).
XML Signature Validation
XML Signature validation is performed in two steps. First is Reference Validation, which checks that each <Reference> element within the <SignedInfo> has a valid digest value. The second is Signature Validation, which cryptographically validates the <SignedInfo> element to ensure that the element has not been tampered with.
Although reference validation is followed by signature validation in the official XML signature validation spec lists, these two processes can be carried out in any sequence. One should always perform signature validation as the first step to ensure that the transforms come from a reliable source. The reference validation step can involve processing attacker-controlled XML Transforms.
Vulnerability Exploit: SAML Validation Order
SAML information flow enables an attacker to add or modify the SAML data while in transit. The first attack stage for this issue will include exploiting the verification order. In the older version of xmlsec, the reference validation is performed at the top, while, in the newer version, the reference signature is moved to the end of the function after the signature verification.
Vulnerability Exploit: XSLT Injection
Each <Reference> element can contain a <Transform> element, which is responsible for describing how to modify an element before calculating its digest. The transforms allow for arbitrarily complex operations using XSL Transformations (XSLT).
In the ManageEngine environment, the turing-complete language XSLT can run any Java code. One can take advantage of this vulnerability in ManageEngine products to obtain remote code execution by abusing the sequence of SAML validation in older versions of Apache Santuario and Java’s XSLT library, which gives access to run any Java classes.
The vulnerability affects the following products and versions:
|Product Name||Impacted Version(s)|
|Access Manager Plus||4307 and below|
|Active Directory 360||4309 and below|
|ADAudit Plus||7080 and below|
|ADManager Plus||7161 and below|
|ADSelfService Plus||6210 and below|
|Analytics Plus||5140 and below|
|Application Control Plus||10.1.2220.17 and below|
|Asset Explorer||6982 and below|
|Browser Security Plus||11.1.2238.5 and below|
|Device Control Plus||10.1.2220.17 and below|
|Endpoint Central||10.1.2228.10 and below|
|Endpoint Central MSP||10.1.2228.10 and below|
|Endpoint DLP||10.1.2137.5 and below|
|Key Manager Plus||6400 and below|
|OS Deployer||1.1.2243.0 and below|
|PAM 360||5712 and below|
|Password Manager Pro||12123 and below|
|Patch Manager Plus||10.1.2220.17 and below|
|Remote Access Plus||10.1.2228.10 and below|
|Remote Monitoring and Management (RMM)||10.1.40 and below|
|ServiceDesk Plus||14003 and below|
|ServiceDesk Plus MSP||13000 and below|
|SupportCenter Plus||11017 to 11025|
|Vulnerability Manager Plus||10.1.2220.17 and below|
Zoho has patched the vulnerability by updating the third-party module to the recent version.
Customers should upgrade to the fixed versions mentioned below:
|Product Name||Patched Version|
|Access Manager Plus||4308|
|Active Directory 360||4310|
|Application Control Plus||10.1.2220.18|
|Browser Security Plus||11.1.2238.6|
|Device Control Plus||10.1.2220.18|
|Endpoint Central MSP||10.1.2228.11|
|Key Manager Plus||6401|
|Password Manager Pro||12124|
|Patch Manager Plus||10.1.2220.18|
|Remote Access Plus||10.1.2228.11|
|Remote Monitoring and Management (RMM)||10.1.41|
|ServiceDesk Plus MSP||13001|
|Vulnerability Manager Plus||10.1.2220.18|
For more information, please refer to the Zoho ManageEngine Security Advisory.
Qualys customers can scan their devices with QIDs 377892 and 730708 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
NOTE: We will update the post once the Proof of Concept is made publicly available.