Authentication Bypass Vulnerabilities in Desktop Central (ZOHO ManageEngine)


In a recent notification from Zoho regarding a security vulnerability, the software provider has encouraged users using ServiceDesk Plus and Desktop Central or Desktop Central MSP for asset discovery to update their installations to the latest versions.

It is a management platform for administrator use. The ManageEngine Desktop Central enables admins to automatically deploy software and patches over the network. Furthermore, it also helps troubleshoot both software and patches remotely.

The vulnerability notification was regarding an authentication bypass vulnerability identified as CVE-2021-44515 in the ManageEngine Desktop Central. It is an RCE (Remote Code Execution) vulnerability that enables an adversary to bypass authentication and remotely execute any arbitrary code in the Desktop Central server. However, it did not impact the Desktop Central Cloud is not affected.

The CVE-2021-44515 resulted from the inappropriate configuration on one of the application filters. Using this filter, adversaries can craft a URL that can allow access to a server without strong authentication. This is not the first time Zoho servers have been targeted previously, especially since July 2020. One of the recent attacks was launched between August and October 2021 that used APT27-like tactics to target Zoho ManageEngine.

Impact:

CVE-2021-44515 can let a cyber threat actor overcome authentication security measures and access the Templates’ field to update or form new rules. These rules can include:

  • Technician Auto Assign settings
  • Assets associated with a user
  • Translation and Change SLA configurations
  • Asset Field’s Allowed Values
  • Role details from Change Templates
  • Reorder the Service Catalog

Severity:

Numerous users worldwide use ServiceDesk Plus and Zoho ManageEngine Central Desk, and the vulnerability could have impacted all of them. Thus, the severity of the bug was high.

How to check if the installation is affected?

We can check if the installation is detected by leveraging the Exploit Detection Tool developed by Zoho. To download the tool, visit. Once the tool is downloaded, follow the steps mentioned below:

  1. The tool will be downloaded as a ZIP file. Hence, the first thing to do is to extract it to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder, depending on the server you are using.
  2. Navigate to the folder where the tool is extracted by opening the command prompt with admin privilege
  3. Once within the right folder, run the RCEScan.bat command.
  4. After running the command, the tool will automatically run some checks to determine if your installation is affected. The tool will then throw a message “Exploit Detected” or “No Exploit Detected,” based on the final status. You can see the message in the screenshots below.

Exploit Detected - ZOHO ManageEngine Desktop Central Vulnerability

No Exploit Detected - ZOHO ManageEngine Desktop Central Vulnerability

Compromised - ZOHO ManageEngine Desktop Central Vulnerability

IOC’S (Indicator of Compromise) related to vulnerability (CVE-2021-44515) are:

  • Look for the file zip (md5 – 9809bdf6e9981fbc3ad515b731124342) in the \lib location
  • Look for the file jsp in the \webapps\DesktopCentral\html

Mitigations:

If the installation is found to be impacted, it is advised to disconnect the affected system from the rest of the network. Next, backup of the database impacted is recommended. Once the backup of all critical data is complete, you need to format the affected machine and then restore the Desktop Central. Using a different machine while keeping the build version the same as that of backup is recommended.

Once the new installation is completed successfully, the most important and mandatory step is to update the Desktop Central to the latest version. Zoho has mitigated the issue in the latest build. You can update to the latest version by logging in to the console, clicking on the current build number, and downloading the latest update and PPM. Besides the new installation, it is also suggested to reset passwords for everything accessed from the infected machine.

Moreover, even if the machine is not impacted, it is still recommended to update to the latest version to prevent future attacks.

For Both Enterprise and MSP:

Everyone using builds 10.1.2127.17 and below should upgrade to 10.1.2127.18, and everyone using builds between 10.1.2128.0 to 10.1.2137.2 should upgrade to 10.1.2137.3

Advice from SOC:

  • Reset passwords for all services, accounts, Active Directory, etc.
  • Resetting AD administrator passwords is also recommended.
  • Ensure updating Desktop Central to the latest build
  • As always, make a copy of the entire Desktop Central installation folder before applying the upgrade, and keep the copy in a separate location