skout-blog

Cybersecurity Threat Advisory 0018-20: ManageEngine RCE (CVE-2020-10189)

Advisory Overview

Zoho ManageEngine Desktop Central is vulnerable to Remote Code Execution (RCE). The vulnerability could potentially allow an attacker to execute arbitrary code as SYSTEM or root, without the need for authentication. SKOUT recommends updating ManageEngine Desktop Central to the latest version, which contains a patch to this vulnerability.

Technical detail and additional information

What is the threat?

A Remote Code Execution (RCE) vulnerability exists in Zoho ManageEngine Desktop Central 10 due to a lack of proper validation of user-provided data. This can result in deserialization of untrusted data, specifically with “getChartImage” in the FileStorage class, related to the CewolfServlet and the MDMLogUploaderServlet servlets. What this means is that a malicious actor can execute arbitrary code as SYSTEM/root without the need for authentication by crafting an HTTP request to these servlets. This attack can also be launched from a compromised device on the network even if ManageEngine Desktop Central is not exposed to the internet.

Why is this noteworthy?

This vulnerability exists specifically with ManageEngine Desktop Central 10, which many Managed Service Providers (MSPs) use to perform routine endpoint management tasks on client devices. The “MDMLogUploaderServlet” can be abused to plant a specially crafted file on the device, and that file can be read by getChartImage in the CewolfServlet without any further validation. Depending on the nature of the file this could compromise the device in a number of different ways, predominantly allowing for remote code execution.

What is the exposure or risk?

When exploited, this vulnerability allows a malicious actor to execute any number of remote commands or arbitrary code. If a device was compromised this way, the malicious actor would have access to the full suite of MSP management tools in ManageEngine Desktop 10, and all the client devices that are managed with it. This means that if an MSP is compromised, this compromise could then be extended to all the client networks that they manage. The primary concern in this case would be the ability of an attacker to use this exploit to plant ransomware on the networks of all the clients of a compromised MSP, effectively allowing them to vicariously compromise every client network by compromising only the MSP.

What are the recommendations?

ManageEngine has released an update that patches this vulnerability, and it can be found at the following link:

It is recommended that if you use ManageEngine Desktop Central you should apply this update as soon as possible.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.