Security News > 2018 > March > Code Execution Flaws Found in ManageEngine Products
Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine. ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company. Earlier this year, Digital Defense reported finding several potentially serious flaws in ManageEngine’s ServiceDesk Plus help desk software, and on Wednesday the company disclosed the details of six additional security holes found by its researchers in ManageEngine Log360, EventLog Analyzer, and Applications Manager products. The vulnerabilities have been described by Digital Defense as file upload, blind SQL injection, local file inclusion, and API key disclosure issues that can be exploited without authentication for arbitrary code execution and obtaining potentially sensitive information. According to the security firm, the Log360 and EventLog Analyzer log management products are affected by an unauthenticated file upload vulnerability that can be exploited to upload a JavaServer Pages (JSP) web shell to the root directory. This is possible due to the fact that a file upload feature’s security checks can be easily bypassed. The rest of the flaws discovered by Digital Defense researchers impact ManageEngine Applications Manager and many of them can be exploited for arbitrary code execution. Experts have identified several blind SQL injection flaws that can be leveraged by unauthenticated attackers to execute arbitrary code with SYSTEM privileges and gain complete control of the targeted host. The list of security holes also includes a local file inclusion issue that can be exploited to download files that may contain sensitive information. Researchers also discovered that an attacker can obtain an Applications Manager user’s API key by sending a specially crafted GET request. “Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it,” Digital Defense warned. The vulnerabilities were reported to ManageEngine on February 12 and fixes were developed a few weeks later. Patches were made available to customers on March 7. Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products Related: Serious Vulnerabilities Found in Riverbed SteelCentral Portal (function() { var po = document.createElement("script"); po.type = "text/javascript"; po.async = true; po.src = "https://apis.google.com/js/plusone.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(po, s); })(); Tweet Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Code Execution Flaws Found in ManageEngine ProductsSiemens Patches Flaws in SIMATIC Controllers, Mobile Apps'Slingshot' Campaign Outed by Kaspersky is U.S. Operation Targeting Terrorists: ReportOrbitz Data Breach Impacts 880,000 Payment CardsOil and Gas Sector in Middle East Hit by Serious Security Incidents Register for the 2018 CISO Forum at Half Moon Bay 2018 ICS Cyber Security Conference | Singapore [April. 24-26] 2018 ICS Cyber Security Conference | USA [Oct. 22-25] sponsored links Tags: Network Security NEWS & INDUSTRY Vulnerabilities