Exploit released for critical ManageEngine RCE bug, patch now

Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products.

This pre-authentication RCE flaw is tracked as CVE-2022-47966 and stems from using an outdated and vulnerable version of the Apache Santuario library.

Unauthenticated threat actors can execute arbitrary code on ManageEngine instances following successful exploitation if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack.

Vulnerable software includes almost all ManageEngine products, but they’ve already been patched in several waves starting on October 27, 2022, by updating the third-party dependency to a secure version.

Access Manager Plus	Active Directory 360	OS Deployer
ADAudit Plus	ADManager Plus	Password Manager Pro
ADSelfService Plus	Analytics Plus	PAM 360
Application Control Plus	Asset Explorer	Patch Manager Plus
Browser Security Plus	Device Control Plus	Remote Monitoring and Management (RMM)
Endpoint Central	Endpoint Central MSP	Remote Access Plus
Endpoint DLP	Key Manager Plus	ServiceDesk Plus
ServiceDesk Plus MSP	SupportCenter Plus	Vulnerability Manager Plus

Horizon3 security researchers released a proof-of-concept (PoC) exploit and technical analysis for the vulnerability earlier today, following a Thursday warning that a CVE-2022-47966 PoC will be available later this week.

“The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response,” the researchers said.

“This POC abuses the pre-authentication remote code execution vulnerability to run a command with Java’s Runtime.exec method,” they added.

The PoC exploit was tested against ServiceDesk Plus and Endpoint Central, and Horizon3 “expect this POC to work unmodified on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral.”

Horizon3 has previously released exploit code for other critical security flaws in several different products, including:

• CVE-2022-28219, a critical flaw in Zoho ManageEngine ADAudit Plus that lets attackers compromise Active Directory accounts,
• CVE-2022-1388, a critical vulnerability allowing remote code execution in F5 BIG-IP networking devices,
• and CVE-2022-22972, a critical authentication bypass bug in multiple VMware products that can let threat actors gain admin privileges.

Incoming ‘spray and pray’ attacks

Last week, Horizon3 researchers also warned of a potential wave of attacks after the PoC exploit is released since “the vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet.”

They found thousands of unpatched ServiceDesk Plus and Endpoint Central servers exposed online via Shodan, with an estimated 10% of all detected devices exposed to CVE-2022-47966 attacks because they have SAML enabled.

While there are no reports of attacks leveraging this vulnerability and no attempts to exploit it in the wild, threat actors will likely move quickly to develop custom RCE exploits based on Horizon3’s PoC code.

In recent years, financially motivated and state-backed threat groups have heavily targeted Zoho ManageEngine servers.

For instance, threat actors also sold access to breached organizations’ networks on hacking forums after compromising Internet-exposed Desktop Central instances in July 2020.

Between August and October 2021, they were the target of a campaign orchestrated by nation-state hackers with tactics, techniques, and procedures (TTPs) similar to those of the Chinese APT27 hacking group.

Following these and other attacks targeting ManageEngine, CISA and the FBI issued two joint advisories [1, 2] to warn of state-backed attackers exploiting ManageEngine bugs to backdoor critical infrastructure organizations.

---

Original Source

---