Business tools development company Zoho says it’s working on a patch for a zero-day vulnerability affecting its ManageEngine Desktop Central product.
ManageEngine Desktop Central is a unified endpoint management solution designed to help organizations manage servers, laptops, desktop computers and mobile devices. The solution includes capabilities for installing patches, deploying software and operating systems, managing assets, obtaining software usage statistics, and remotely controlling devices. The vendor’s website lists over 1,000 “reputed customers” of this product.
Researcher Steven Seeley of Source Incite on Thursday disclosed the details of a critical vulnerability in Desktop Central that can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.
“The specific flaw exists within the FileStorage class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM,” Seeley explained.
Seeley published an advisory describing his findings and also released a proof-of-concept (PoC) exploit. The vulnerability was discovered in December 2019, but, the researcher told SecurityWeek, he decided not to inform Zoho of its existence prior to disclosure due to past experience with the vendor.
“Since Zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone,” Seeley wrote on Twitter.
In response to Seeley’s tweet, Zoho said it identified the issue and has started working on a patch “with top priority.”
A researcher from Microsoft pointed out that Shodan currently lists over 2,300 internet-exposed instances of ManageEngine Desktop Central, which increases the chances of malicious hackers targeting the vulnerability disclosed by Seeley.
“Administration tools, such as Zoho ManageEngine Desktop Central, make for desirable targets,” Rick Holland, CISO and VP of strategy at Digital Shadows, told SecurityWeek. “Client Management Tools like Desktop Central can manage servers and endpoints, including mobile devices. If an attacker can comprise a solution like Desktop Central, they have an “open season” on that target company’s environment. An attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users’ machines.”
“Given that this vulnerability enables unauthenticated remote execution of code it is even more critical that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately,” Holland added.
Several members of the infosecurity community agree with Seeley that Zoho has a poor vulnerability disclosure process, but others commended the vendor recently for how fast it patched a security hole.
SecurityWeek has reached out to Zoho for comment and will update this article if the company responds.
UPDATE. ManageEngine said it patched the vulnerability on March 7 with the release of version 10.0.479. The vulnerability is tracked as CVE-2020-10189.
*updated with comments from Rick Holland