ZoHo patches authentication bypass in ManageEngine Desktop Central that could allow attackers to write arbitrary zip files to the server.
Background
On January 17, ZoHo issued an advisory and patches for CVE-2021-44757, a critical authentication bypass in its ManageEngine Desktop Central and ManageEngine Desktop Central MSP products. These are unified endpoint management solutions used to centrally manage a variety of devices including servers, personal computers and mobile devices. In December, ZoHo patched a separate authentication bypass in Desktop Central (CVE-2021-44515) that was actively exploited in the wild as a zero-day. At this time, there is no information stating that CVE-2021-44757 has been exploited in the wild.
Analysis
CVE-2021-44757 is a critical authentication bypass vulnerability that could allow a remote attacker to access sensitive data and write arbitrary zip files to a vulnerable server. At the time of publication, there is no CVSS score available for this vulnerability. Osword from SGLAB of Legendsec at Qi'anxin Group were credited with disclosing this vulnerability.
Given the history of exploitation against ZoHo ManageEngine Desktop Central, attackers are likely to adopt this vulnerability. Shortly after CVE-2021-44515 was publicly disclosed, the Cybersecurity and Infrastructure Security Agency added the CVE to its Catalog of Known Exploited Vulnerabilities, mandating that federal agencies find and fix vulnerable servers by December 24, 2021. On December 17, the Federal Bureau of Investigation issued an advisory about advanced persistent threat activity targeting ZoHo ManageEngine Desktop Central servers with CVE-2021-44515 beginning in October 2021.
Proof of concept
At the time of publication, there is no proof-of-concept available.
Solution
ZoHo released Desktop Central and Desktop Central MSP version 10.1.2137.9 to address this vulnerability. The advisory also includes guidance on hardening these solutions.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
- CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
- CVE-2021-44757 Security Advisory
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.