CVE-2020-10189: Deserialization Vulnerability in Zoho ManageEngine Desktop Central 10 Patched (SRC-2020-0011)
Zoho releases a patch for a critical remote code execution flaw in ManageEngine one day after the vulnerability was publicly disclosed.
Update 03/09/2020: Updated the Analysis section to include information on reports of active exploitation of this vulnerability.
Contexto
On March 5, Steven Seeley, an information security specialist at Source Incite, published an advisory for a vulnerability in Zoho ManageEngine Desktop Central. Desktop Central is a centralized management solution for a variety of devices – from personal computers (e.g., desktops, laptops) to mobile devices (e.g., smartphones, tablets). The vulnerability affects Desktop Central build 10.0.473 and below.
Análise
CVE-2020-10189 is an untrusted deserialization vulnerability in Zoho ManageEngine Desktop Central. The vulnerability stems from an improper input validation in the FileStorage class. According to Seeley, an unauthenticated, remote attacker can abuse the lack of validation in the FileStorage class to upload a malicious file containing a serialized payload onto the vulnerable Desktop Central host. To trigger the untrusted deserialization, an attacker would then need to make a subsequent request for the file uploaded onto the vulnerable host. This would then grant the attacker arbitrary code execution with SYSTEM/root privileges. For more detail, please refer to the proof-of-concept section, which contains Seeley’s detailed breakdown of the vulnerability.
https://t.co/cCOrj1t6bo - "only" 2300+ of these online.....
— Nate Warfield (@n0x08) March 5, 2020
According to a Shodan search by Nate Warfield, senior security program manager at Microsoft, there are over 2,300 publicly accessible Desktop Central instances.
On March 9, we became aware of reports this vulnerability is now being actively exploited in the wild, including a list of indicators of compromise.
Active exploitation of Zoho ManageEngine (CVE-2020-10189 ) now seen in the wild - https://t.co/LeY8OnAvdR - Some additional IOCs @ https://t.co/IN1ubCXRvp
— chris doman (@chrisdoman) March 9, 2020
Prova de conceito
Along with his advisory, Seeley published a proof-of-concept (PoC) for the vulnerability, which he shared in a tweet.
Solução
Zoho released a patch on March 6 to address this vulnerability in Desktop Central build 10.0.479. Users are strongly encouraged to patch as soon as possible by visiting ManageEngine’s service pack release page. The page also includes a link to download build 10.0.479.
Identificação de sistemas afetados
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Obtenha mais informações
- SRC-2020-0011: Source Incite Advisory for CVE-2020-10189
- SRC-2020-0011: Source Incite Proof-of-Concept for CVE-2020-10189
Junte-se à equipe de resposta de segurança da Tenable na Tenable.
Saiba mais sobre a Tenable, a primeira plataforma de Cyber Exposure para o gerenciamento holístico da sua superfície de ataque moderna.
Obtenha uma avaliação gratuita por 30 dias do Vulnerability Management da Tenable.io.
Artigos relacionados
CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud
October 23, 2024Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
October 22, 2024Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.
Oracle October 2024 Critical Patch Update Addresses 198 CVEs
October 15, 2024Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
- Vulnerability Management