Web-based office suite and SaaS services provider Zoho released a security update to fix a remote code execution vulnerability found in its ManageEngine Desktop Central endpoint management solution that does not require authentication to be exploited.
Desktop Central helps companies like managed service providers (MSPs) to manage devices such as servers, laptops, desktops, smartphones, and tablets from a central location, and to automate frequent endpoint management routines like patch installation, OS imaging, remote controlling endpoints, and more.
Zoho patches zero-day impacting thousands of servers
The security flaw caused by deserialization of untrusted data in getChartImage in the FileStorage class, now tracked as CVE-2020-10189, impacts Desktop Central build 10.0.473 and below, and it was fixed by Zoho with the release of build 10.0.479.
Customers using Desktop Central build 10.0.474 and above are also not vulnerable according to Zoho since a short-term fix for the no-auth arbitrary file upload flaw included within build 10.0.474 released on January 20, 2020.
At the moment, over 2,300 ManageEngine Desktop Central servers can be reached over the Internet according to a Shodan scan shared by Microsoft Security Response Center security researcher Nate Warfield.
Seeing that exploiting CVE-2020-10189 allows threat actors to execute arbitrary code as SYSTEM/root on unpatched systems, future attacks targeting vulnerable servers could lead to dangerous malware being deployed on networks of companies that haven’t yet patched their Desktop Central installations.
https://t.co/cCOrj1t6bo – “only” 2300+ of these online…..
— Nate Warfield (@n0x08) March 5, 2020
Vulnerability disclosed on Twitter without notification
Source Incite security researcher Steven Seeley publicly disclosed the zero-day vulnerability on Twitter on March 5, saying that he decided to do this because Zoho “typically ignores researchers.”
“The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,” Seeley’s security advisory explains. “An attacker can leverage this vulnerability to execute code under the context of SYSTEM.”
The researcher also released a proof of concept showing how potential attackers could exploit the vulnerability on unpatched systems running Zoho’s Unified Endpoint Management (UEM).
Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE’ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!
— (@steventseeley) March 5, 2020