Categories Blog Authentication Bypass Vulnerabilities in Desktop Central (ZOHO ManageEngine) Post author By Vinith Sengunthar Post date December 9, 2021 No Comments on Authentication Bypass Vulnerabilities in Desktop Central (ZOHO ManageEngine) Home Blog Topic Authentication Bypass Vulnerabilities in Desktop Central (ZOHO ManageEngine) In a recent notification from Zoho regarding a security vulnerability, the software provider has encouraged users using ServiceDesk Plus and Desktop Central or Desktop Central MSP for asset discovery to update their installations to the latest versions. It is a management platform for administrator use. The ManageEngine Desktop Central enables admins to automatically deploy software and patches over the network. Furthermore, it also helps troubleshoot both software and patches remotely. The vulnerability notification was regarding an authentication bypass vulnerability identified as CVE-2021-44515 in the ManageEngine Desktop Central. It is an RCE (Remote Code Execution) vulnerability that enables an adversary to bypass authentication and remotely execute any arbitrary code in the Desktop Central server. However, it did not impact the Desktop Central Cloud is not affected. The CVE-2021-44515 resulted from the inappropriate configuration on one of the application filters. Using this filter, adversaries can craft a URL that can allow access to a server without strong authentication. This is not the first time Zoho servers have been targeted previously, especially since July 2020. One of the recent attacks was launched between August and October 2021 that used APT27-like tactics to target Zoho ManageEngine. Impact: CVE-2021-44515 can let a cyber threat actor overcome authentication security measures and access the Templates’ field to update or form new rules. These rules can include: Technician Auto Assign settings Assets associated with a user Translation and Change SLA configurations Asset Field’s Allowed Values Role details from Change Templates Reorder the Service Catalog Severity: Numerous users worldwide use ServiceDesk Plus and Zoho ManageEngine Central Desk, and the vulnerability could have impacted all of them. Thus, the severity of the bug was high. How to check if the installation is affected? We can check if the installation is detected by leveraging the Exploit Detection Tool developed by Zoho. To download the tool, visit. Once the tool is downloaded, follow the steps mentioned below: The tool will be downloaded as a ZIP file. Hence, the first thing to do is to extract it to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder, depending on the server you are using. Navigate to the folder where the tool is extracted by opening the command prompt with admin privilege Once within the right folder, run the RCEScan.bat command. After running the command, the tool will automatically run some checks to determine if your installation is affected. The tool will then throw a message “Exploit Detected” or “No Exploit Detected,” based on the final status. You can see the message in the screenshots below. IOC’S (Indicator of Compromise) related to vulnerability (CVE-2021-44515) are: Look for the file zip (md5 – 9809bdf6e9981fbc3ad515b731124342) in the \lib location Look for the file jsp in the \webapps\DesktopCentral\html Mitigations: If the installation is found to be impacted, it is advised to disconnect the affected system from the rest of the network. Next, backup of the database impacted is recommended. Once the backup of all critical data is complete, you need to format the affected machine and then restore the Desktop Central. Using a different machine while keeping the build version the same as that of backup is recommended. Once the new installation is completed successfully, the most important and mandatory step is to update the Desktop Central to the latest version. Zoho has mitigated the issue in the latest build. You can update to the latest version by logging in to the console, clicking on the current build number, and downloading the latest update and PPM. Besides the new installation, it is also suggested to reset passwords for everything accessed from the infected machine. Moreover, even if the machine is not impacted, it is still recommended to update to the latest version to prevent future attacks. For Both Enterprise and MSP: Everyone using builds 10.1.2127.17 and below should upgrade to 10.1.2127.18, and everyone using builds between 10.1.2128.0 to 10.1.2137.2 should upgrade to 10.1.2137.3 Advice from SOC: Reset passwords for all services, accounts, Active Directory, etc. Resetting AD administrator passwords is also recommended. Ensure updating Desktop Central to the latest build As always, make a copy of the entire Desktop Central installation folder before applying the upgrade, and keep the copy in a separate location SearchSearch Recent Post SharkStriker wins global recognition at the 18th Globee® Awards for Information TechnologyMay 25, 2023 SharkStriker increases its foothold in the United Kingdom with the Tate92 partnershipMay 15, 2023 SharkStriker recognized as the Top 100 at Fintech Global’s CyberTech 100 2023May 12, 2023 SharkStriker wins the Global InfoSec award at RSA conference 2023 for their Cybersecurity-as-a-ServiceApril 27, 2023 SharkStriker partners with SecureNet to expand its reach in MEA region March 1, 2023 On-Demand Webinars Charter business growth in cybersecurity services market in 2023May 19, 2023 Live Attack Simulation: Exploring Microsoft Exchange from a Hacker’s POVApril 21, 2023 Affordable enterprise security for SMBsMarch 10, 2023 Turbocharging solutions through cybersecurity -as-a-service USAFebruary 13, 2023 Turbocharging solutions through cybersecurity-as-a-service MEAFebruary 13, 2023 MDR Complete Visibility, Continuous Monitoring& Advanced Threat Protection withAI-backed Incident Remediation. Read More > Latest Post AllBlog Load More Blog Webinar News Guides Videos Data Sheet Services ← Cybersecurity Firm SharkStriker Unveils its Detection and Mitigation Steps to Fight Log4j Vulnerability → Log4j Zero-Day Exploit: The Most Critical Vulnerability of the Decade That Puts Countless Servers at Risk Leave a Reply Cancel replyYour email address will not be published. Required fields are marked *Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment.