A Vulnerability in ManageEngine Applications Manager Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-026
Date(s) Issued: 
Monday, March 12, 2018
Subject: 
A Vulnerability in ManageEngine Applications Manager Could Allow for Remote Code Execution
Overview: 

A vulnerability has been discovered in ManageEngine Applications Manager, which could allow for remote code execution. The ManageEngine Applications Manager monitors a company’s physical, virtual, and cloud information technology (IT) infrastructure, including application servers, databases, big data stores, web servers, virtual systems, and cloud resources. Successful exploitation of this vulnerability could result in remote code execution in the context of the affected system. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being actively exploited in the wild.

Systems Affected: 
  • ManageEngine Applications Manager 13.5
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
N/A
Description: 

A vulnerability has been discovered in ManageEngine Applications Manager, which could allow for remote code execution. The publically accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specific system. This endpoint calls several internal classes and then executes a PowerShell script. If the specified system is an Office SharePoint Server, then the username and password parameters to this script are not validated, leading to command injection. Successful exploitation of this vulnerability could result in remote code execution in the context of the affected system. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

Actions: 
  • After appropriate testing, immediately install updates provided by ManageEngine.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.