Critical ManageEngine remote code execution bug

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level: Critical – The flaw can allow remote code execution (RCE) without authentication when SAML SSO criteria is met in several Zoho ManageEngine products.

A proof of concept (PoC) exploit will be released later this week for the vulnerability which was found by researchers in the attack team of automated penetration testing firm, Horizon3.

This vulnerability is being tracked as CVE-2022-47966.

Impact

Successful exploitation of CVE-2022-47966 could allow for an unauthenticated RCE on a target system under the level of privilege the ManageEngine service is running with.

Vulnerability Detection

ManageEngine has advised where SAML-based SSO is or has been enabled in the ManageEngine setup and where outdated software versions are used. Current patches should be applied immediately.

Affected Products

The list of vulnerable software includes almost all ManageEngine products:

– Access Manager Plus v4307 and below
– Active Directory 360 v4309 and below
– ADAudit Plus v7080 and below
– ADManager Plus v7161 and below
– ADSelfService Plus v6210 and below
– Analytics Plus v5140 and below
– Application Control Plus v10.1.2220.17 and below
– Asset Explorer v6982 and below
– Browser Security Plus v11.1.2238.5 and below
– Device Control Plus v10.1.2220.17 and below
– Endpoint Central v10.1.2228.10 and below
– Endpoint Central MSP v10.1.2228.10 and below
– Endpoint DLP v10.1.2137.5 and below
– Key Manager Plus v6400 and below
– OS Deployer v1.1.2243.0 and below
– PAM 360 v5712 and below
– Password Manager Pro v12123 and below
– Patch Manager Plus v10.1.2220.17 and below
– Remote Access Plus v10.1.2228.10 and below
– Remote Monitoring and Management (RMM) v10.1.40 and below
– ServiceDesk Plus v14003 and below
– ServiceDesk Plus MSP v13000 and below
– SupportCenter Plus v11017 to 11025
– Vulnerability Manager Plus v10.1.2220.17 and below

Containment, Mitigations & Remediations

ManageEngine released patches for all affected products by the end of October 2022. Where possible, organisations utilising ManageEngine should apply any available patches, as detailed within the security advisory.

If patching of the solution is not viable, consider whether the service needs to be accessible from the internet.

Indicators of Compromise

In order for an attacker to exploit this RCE vulnerability, a specifically crafted SAML request is required. This request is signed with an invalid signature, and this allows for detection within the ManageEngine logs. Investigations should focus on an increased number of entries within the log files with the following string: “Signature validation failed. SAML Response rejected.”

Threat Landscape

Due to the low complexity of the attack, the lack of authentication required and the level of control granted, this vulnerability is likely to see mass exploitation.

Threat Group

At the time of writing, no threat groups have been identified to be actively exploiting this vulnerability.

Mitre Methodologies

T1210 – Exploitation of Remote Services
T1190– Exploit Public-Facing Application

Further Information

ManageEngine Security Advisory
Horizon3.ai – ManageEngine CVE-2022-47966 IOCs
CVE-2022-47966

ManageEngine Security Advisory