Vulnerabilities > CVE-2018-11716 - Information Exposure Through Log Files vulnerability in Zohocorp Manageengine Desktop Central

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

zohocorp

CWE-532

critical

NVD

Published: 2018-07-16

Updated: 2018-09-17

Summary

An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.

Vulnerable Configurations

Part	Description	Count
Application	Zohocorp Zohocorp Manageengine Desktop Central - Zohocorp Manageengine Desktop Central 7.0 Zohocorp Manageengine Desktop Central 7.0.0 Zohocorp Manageengine Desktop Central 7.0.1 Zohocorp Manageengine Desktop Central 8.0.0 Zohocorp Manageengine Desktop Central 9.0 Zohocorp Manageengine Desktop Central 9.1.0 Zohocorp Manageengine Desktop Central 10 Zohocorp Manageengine Desktop Central 10.0 Zohocorp Manageengine Desktop Central 10.0.0 Zohocorp Manageengine Desktop Central 10.0.124 Zohocorp Manageengine Desktop Central 10.0.137 Zohocorp Manageengine Desktop Central 10.0.184 Zohocorp Manageengine Desktop Central 10.0.255 Zohocorp Manageengine Desktop Central 10.0.271 Zohocorp Manageengine Desktop Central 10.0.289 Zohocorp Manageengine Desktop Central 10.0.290 Zohocorp Manageengine Desktop Central 10.0.380 Zohocorp Manageengine Desktop Central 10.0.430 Zohocorp Manageengine Desktop Central 10.0.479 Zohocorp Manageengine Desktop Central 10.0.483 Zohocorp Manageengine Desktop Central 10.0.484 Zohocorp Manageengine Desktop Central 10.0.486 Zohocorp Manageengine Desktop Central 10.0.533 Zohocorp Manageengine Desktop Central 10.0.552.W Zohocorp Manageengine Desktop Central 10.0.561 Zohocorp Manageengine Desktop Central 10.0.647 Zohocorp Manageengine Desktop Central 10.1.2119.7 Zohocorp Manageengine Desktop Central 10.1.2127.17 Zohocorp Manageengine Desktop Central 10.1.2127.18 Zohocorp Manageengine Desktop Central 10.1.2128.0 Zohocorp Manageengine Desktop Central 10.1.2137.2 Zohocorp Manageengine Desktop Central 10.1.2137.3 Zohocorp Manageengine Desktop Central 10.1.2137.8 Zohocorp Manageengine Desktop Central 10.1.2137.9 Zohocorp Manageengine Desktop Central 2020-03-07 Zohocorp Manageengine Desktop Central 2020-03-27	43

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References