Critical Alert: A Vulnerability in ManageEngine Applications Manager Could Allow for Remote Code Execution

by CIRT Team

13 Mar 2018

in Security Advisories & Alerts

No Comments

1551

Description: A vulnerability has been discovered in ManageEngine
Applications Manager, which could allow for remote code execution. The
publically accessible testCredential.do endpoint takes multiple user
inputs and validates supplied credentials by accessing a specific
system. This endpoint calls several internal classes and then executes a
PowerShell script. If the specified system is an Office SharePoint
Server, then the username and password parameters to this script are not
validated, leading to command injection.

Impact: Successful exploitation of this vulnerability could result in
remote code execution in the context of the affected system. Depending
on the privileges associated with the application, an attacker could
install programs; view, change, or delete data; or create new accounts
with full user rights. If this application has been configured to have
fewer user rights on the system, exploitation of this vulnerability
could have less impact than if it was configured with administrative rights.

System Affected:

ManageEngine Applications Manager 13.5

Mitigation:
The following actions are recommended:

Install appropriate updates provided by ManageEngine as they become available and appropriate testing has been completed.
Verify no unauthorized system modifications have occurred on the system before applying the anticipated patch.
Monitor intrusion detection systems for any signs of anomalous activity.
Unless required, limit external network access to affected product.

Reference URL’s: