Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Code Execution Flaws Found in ManageEngine Products

Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

Earlier this year, Digital Defense reported finding several potentially serious flaws in ManageEngine’s ServiceDesk Plus help desk software, and on Wednesday the company disclosed the details of six additional security holes found by its researchers in ManageEngine Log360, EventLog Analyzer, and Applications Manager products.

The vulnerabilities have been described by Digital Defense as file upload, blind SQL injection, local file inclusion, and API key disclosure issues that can be exploited without authentication for arbitrary code execution and obtaining potentially sensitive information.

According to the security firm, the Log360 and EventLog Analyzer log management products are affected by an unauthenticated file upload vulnerability that can be exploited to upload a JavaServer Pages (JSP) web shell to the root directory. This is possible due to the fact that a file upload feature’s security checks can be easily bypassed.

The rest of the flaws discovered by Digital Defense researchers impact ManageEngine Applications Manager and many of them can be exploited for arbitrary code execution.

Experts have identified several blind SQL injection flaws that can be leveraged by unauthenticated attackers to execute arbitrary code with SYSTEM privileges and gain complete control of the targeted host.

The list of security holes also includes a local file inclusion issue that can be exploited to download files that may contain sensitive information.

Advertisement. Scroll to continue reading.

Researchers also discovered that an attacker can obtain an Applications Manager user’s API key by sending a specially crafted GET request.

“Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it,” Digital Defense warned.

The vulnerabilities were reported to ManageEngine on February 12 and fixes were developed a few weeks later. Patches were made available to customers on March 7.

Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products

Related: Serious Vulnerabilities Found in Riverbed SteelCentral Portal

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.