CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesA Vulnerability in ManageEngine Applications Manager Could Allow for Remote Code Execution

A Vulnerability in ManageEngine Applications Manager Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-026

DATE(S) ISSUED:

03/12/2018

OVERVIEW:

A vulnerability has been discovered in ManageEngine Applications Manager, which could allow for remote code execution. The ManageEngine Applications Manager monitors a company’s physical, virtual, and cloud information technology (IT) infrastructure, including application servers, databases, big data stores, web servers, virtual systems, and cloud resources. Successful exploitation of this vulnerability could result in remote code execution in the context of the affected system. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild. However, a Metasploit module and proof of concept exploit have been publically released.

SYSTEMS AFFECTED:

  • ManageEngine Applications Manager 13.5

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
N/A

TECHNICAL SUMMARY:

A vulnerability has been discovered in ManageEngine Applications Manager, which could allow for remote code execution. The publically accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specific system. This endpoint calls several internal classes and then executes a PowerShell script. If the specified system is an Office SharePoint Server, then the username and password parameters to this script are not validated, leading to command injection. Successful exploitation of this vulnerability could result in remote code execution in the context of the affected system. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Install appropriate updates provided by ManageEngine as they become available and appropriate testing has been completed.
  • Verify no unauthorized system modifications have occurred on the system before applying the anticipated patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected product.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation