Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Code Execution Flaws Found in ManageEngine Products

Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

Earlier this year, Digital Defense reported finding several potentially serious flaws in ManageEngine’s ServiceDesk Plus help desk software, and on Wednesday the company disclosed the details of six additional security holes found by its researchers in ManageEngine Log360, EventLog Analyzer, and Applications Manager products.

The vulnerabilities have been described by Digital Defense as file upload, blind SQL injection, local file inclusion, and API key disclosure issues that can be exploited without authentication for arbitrary code execution and obtaining potentially sensitive information.

According to the security firm, the Log360 and EventLog Analyzer log management products are affected by an unauthenticated file upload vulnerability that can be exploited to upload a JavaServer Pages (JSP) web shell to the root directory. This is possible due to the fact that a file upload feature’s security checks can be easily bypassed.

The rest of the flaws discovered by Digital Defense researchers impact ManageEngine Applications Manager and many of them can be exploited for arbitrary code execution.

Experts have identified several blind SQL injection flaws that can be leveraged by unauthenticated attackers to execute arbitrary code with SYSTEM privileges and gain complete control of the targeted host.

The list of security holes also includes a local file inclusion issue that can be exploited to download files that may contain sensitive information.

Advertisement. Scroll to continue reading.

Researchers also discovered that an attacker can obtain an Applications Manager user’s API key by sending a specially crafted GET request.

“Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it,” Digital Defense warned.

The vulnerabilities were reported to ManageEngine on February 12 and fixes were developed a few weeks later. Patches were made available to customers on March 7.

Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products

Related: Serious Vulnerabilities Found in Riverbed SteelCentral Portal

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.