The Zoho ManageEngine is a suite of IT management software designed to help businesses manage their IT infrastructure, including network, server, mobile, and desktop management.

These apps are quite useful as we often need to integrate all of the resources we’re monitoring into a single dashboard for monitoring and management efficiency purposes. That means these applications more often than not require administrative permissions (as ManageEngine does) in order to work normally, meaning that it holds the keychain to all your systems. None of this is uncommon or alerting, because we already tend to centralize our access control by giving all our credentials to authentication providers, such as OAuth, Google SSO, Kerberos, etc., as it is very practical, and often necessary and even more secure.

Having this said, we are prone to faithfully leap into the abyss, solely relying on the vendor’s reputation, as it is harder to prove or disprove the security of a 3rd party product than it is to reinvent the wheel. But, when something goes very wrong, we’re in deep, since these products pose a foundation of our verity and integrity chain.

The Vulnerability

Overall, this is a critical vulnerability holding a CVSS score of 9.8, that can be exploited over the network with no privileges and no user interaction whatsoever.
Assuming that Zoho’s apps encrypted your saved credentials (and NOT by a hardcoded string), they shouldn’t be in danger, but the attacker might be able to abuse the control that Zoho’s apps have over your monitored and maintained infrastructure and devices.

The issue caused by bad integration of security measures has led to remote code execution. According to multiple resources, Zoho developers have used Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, an open-source Java library developed by the Apache Software Foundation that takes care of cryptographic needs and other security standards related to XML security.

Unfortunately, the version of the dependency that they relied on hasn’t had a particular measure in place, as it was meant to be used in conjunction with additional external security. We tried finding out which was the exact weakness that caused this vulnerability using the official vulnerability tracking registers such as NVD and CVE but without luck. In the end, we did stumble upon entries on a few other websites, which state that it was CWE-20 - improper input validation.

It is exploited by sending a specifically crafted samlResponse XML to the ADSelfService Plus vulnerable endpoint and is similar to what we’ve had in another XStream vulnerability that we wrote about some time ago in a way that the input gets improperly validated after the deserialization of XMLs With that said, possibly we could argue that an input validation flaw in this context could be categorized under CWE-502 - deserialization of untrusted data.

Affected Versions And Configurations

According to ManageEngine’s security advisory, while some apps need SAML-based SSO authentication to be configured, some apps are also vulnerable if they have been configured to use a SAML-based SSO authentication at any point in time, which has been confirmed by a couple of security researchers from Metasploit, who also published an exploit on Packet Storm.

To see a list of affected apps, versions, and configurations, we recommend that you take a look at ManageEngine’s security advisory. As there aren’t any obvious steps to undertake if you have a vulnerable ManageEngine installation in order to mitigate the risk, we recommend just updating the suite since the patch for this vulnerability has been already issued.

To Sum It Up

When programming in high-level languages such as Java, a programmer needs to understand how compilers, interpreters, and other aspects of the language interact with input data to prevent improper input validation vulnerabilities.

Although XMLs are a popular data format for information exchange between systems, their compatibility with input validation can be a challenging endeavor. As the complexity of an XML structure increases, the process of validating input data becomes more error-prone and time-consuming. Therefore, XMLs and input validation may not always go hand in hand as easily.

It is crucial to have a robust security mechanism in place to prevent such incidents from happening.

Subscribe to be updated on the new content!

Subscription Form (#4)