ManageEngine Desktop Central unauthenticated remote code execution vulnerability (CVE-2020-10189)

Summary:

A zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems.

Description:

Zoho ManageEngine Desktop Central faces An untrusted deserialization vulnerability. The vulnerability stems from an improper input validation in the FileStorage class. This vulnerability in Zoho ManageEngine Desktop Central. Desktop Central is a centralized management solution for a variety of devices – from personal computers (e.g., desktops, laptops) to mobile devices (e.g., smartphones, tablets).

The attacker’s code is executed without the need for authentication, and the code runs with root privileges on the machine. This vulnerability is also ideal for lateral movement. An attacker gaining access to one computer inside a company’s network can use the Zoho zero-day to gain access over the ManageEngine server and then push malware to all the other computers on the company’s network. This method of attacking MSPs and their software., has now become mainstream among other ransomware families.

At Qualys Labs, we’ve tried to resolve the issue, reported for CVE-2020-10189.

Affected Products:

Desktop Central build 10.0.473 and prior.

Advisory:

https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

Mitigation:

Zoho has released a patch and asked users to update to the latest version 10.0.479 on March 7, 2020.

Users can manually modify the web.xml as follows as well.

Remove the content below from the file web.xml in the path /ManageEngine/DesktopCentral_Server/webapps/DesktopCentral/WEB-INF/web.xml.

After removing this content, restart Desktop Central service.

—————————————————————

<servlet-mapping>

<servlet-name>MDMLogUploaderServlet</servlet-name>

<url-pattern>/mdm/mdmLogUploader</url-pattern>

<url-pattern>/mdm/client/v1/mdmLogUploader</url-pattern>

</servlet-mapping>

<servlet>

<servlet-name>MDMLogUploaderServlet</servlet-name>

<servlet-class>com.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>CewolfServlet</servlet-name>

<url-pattern>/cewolf/*</url-pattern>

</servlet-mapping>

<servlet>

<servlet-name>CewolfServlet</servlet-name>

<servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>

<init-param>

<param-name>debug</param-name>

<param-value>false</param-value>

</init-param>

<init-param>

<param-name>overliburl</param-name>

<param-value>/js/overlib.js</param-value>

</init-param>

<init-param>

<param-name>storage</param-name>

<param-value>de.laures.cewolf.storage.FileStorage</param-value>

</init-param>

<load-on-startup>1</load-on-startup>

</servlet>

—————————————————————

Qualys customers can scan their network with QID(s)# 372442 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

References & Sources:

  • https://srcincite.io/pocs/src-2020-0011.py.txt
  • https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

Leave a Reply

Your email address will not be published. Required fields are marked *