The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned users of a newly patched issue in Zoho’s ManageEngine ServiceDesk Plus and SupportCenter Plus that can be used to drop web– shells leading to remote code execution. CVE-2021-44077 is an unauthenticated remote code execution vulnerability that affects older versions of ServiceDesk Plus and SupportCenter Plus.
Zoho ManageEngine ServiceDesk Plus remote code execution vulnerability
ManageEngine ServiceDesk Plus is an asset management and helps desk software from ManageEngine. It includes Incident Management (Trouble Ticketing), Asset Tracking, Purchasing, Contract Management, Self-Service Portal, and Knowledge Base in its Integrated Package.
On September 16, 2021, this vulnerability was patched in version 11306 and an alert was issued in the security advisory.
The flaw allows an attacker to upload executable files and deploy web shells that allow for post-exploitation operations like compromising administrator credentials, lateral movement, and the exfiltration of registry hives and Active Directory files.
Zoho ManageEngine SupportCenter Plus remote code execution vulnerability
SupportCenter Plus is a web-based customer service software that allows businesses to manage client problems, account and contact information, and service contracts while also providing a better customer experience.
On September 16, 2021, this vulnerability was patched in version 11014 and an alert was issued in the security advisory.
This vulnerability allows an attacker to get unauthorized access to the program’s data using a few of its application URLs. To do so, an attacker must use a correct character set replacement to modify any vulnerable application URL path.
This URL can bypass authentication and get data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out additional attacks.
Affected versions
The vulnerability CVE-2021-44077 affects
- Zoho ManageEngine SupportCenter Plus 11012 and 11013
- Zoho ManageEngine ServiceDesk Plus versions 11305 and below
Mitigation
Customers are advised to update to Zoho ManageEngine ServiceDesk Plus build version 11306 or later and Zoho ManageEngine SupportCenter Plus version 11014 or later. Refer to the following advisories for more information:
Qualys Detection
Qualys customers can scan their devices with QID 730291 and 376137 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html
https://www.bleepingcomputer.com/news/security/hackers-use-in-house-zoho-servicedesk-exploit-to-drop-webshells/
https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho
https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above
https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-supportcenter-plus-versions-11012-and-above-16-9-2021
https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-supportcenter-plus-versions-11012-and-11013
https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021