Researchers at Digital Defense have uncovered several potentially serious vulnerabilities in IT management products from ManageEngine, including ones that allow an attacker to take complete control of the affected application. The vendor has released patches to address the flaws.
Zoho-owned ManageEngine provides network, data center, desktop and mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.
One of the flaws found by Digital Defense affects ManageEngine’s ServiceDesk Plus help desk software. An unauthenticated file upload vulnerability allows an attacker to upload a JavaScript web shell and use it to execute arbitrary commands with SYSTEM privileges.
Experts also discovered several blind SQL injection vulnerabilities that allow an unauthenticated attacker to take complete control of an application and possibly even the underlying host.
These types of flaws have been found in the OpManager network monitoring product, Network Configuration Manager, bandwidth monitoring and traffic analysis product NetFlow Analyzer, firewall configuration and log management product Firewall Analyzer, and IP address management app OpUtils.
These products are also impacted by an enumeration issue that can be exploited to access user information such as usernames, email addresses and phone numbers.
An attacker could gain access to the content of files on the host running ManageEngine applications by leveraging an unauthenticated XML External Entity (XXE) vulnerability.
Digital Defense said ManageEngine promptly responded to its vulnerability reports and released updates for each of the affected applications to address the security holes.
“Application layer vulnerabilities continue to be a key area of focus for software vendors,” said Mike Cotton, vice president of engineering at Digital Defense. “We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”
Digital Defense recently reported discovering authentication bypass, arbitrary file upload, and path traversal vulnerabilities affecting data protection products from both Dell EMC and VMware.
Related: Serious Vulnerabilities Found in Riverbed SteelCentral Portal