[BreachExchange] Critical Zoho Zero-Day Flaw Disclosed

Destry Winant destry at riskbasedsecurity.com
Wed Mar 11 10:05:52 EDT 2020


https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/?utm_source=rss&utm_medium=rss&utm_campaign=critical-zoho-zero-day-flaw-disclosed

A Zoho zero day vulnerability and proof of concept (PoC) exploit code
was disclosed on Twitter.

UPDATE

A zero-day vulnerability has been disclosed in the IT help desk
ManageEngine software made by Zoho Corp. The serious vulnerability
enables an unauthenticated, remote attacker to launch attacks on
affected systems. Zoho has now released a security update addressing
the vulnerability.

As of Monday, March 9, the vulnerability has been observed being
actively exploited in the wild, according to a Center for Internet
Security advisory.

The vulnerability, first reported by ZDNet, exists in Zoho
ManageEngine Desktop Central, an endpoint management tool to help
users manage their servers, laptops, smartphones, and more from a
central location. Steven Seeley of Source Incite, disclosed the flaw
on Twitter, Thursday, along with a proof of concept (PoC) exploit.
According to ZDNet, the enterprise software development company will
release a patch for the flaw on Friday.

“This vulnerability allows remote attackers to execute arbitrary code
on affected installations of ManageEngine Desktop Central.
Authentication is not required to exploit this vulnerability,”
according to Seeley.

According to Seeley, the specific flaw exists within the FileStorage
class of the Desktop Central. The FileStorage class is used to store
data for reading data to or from a file. The issue results from
improper validation of user-supplied data, which can result in
deserialization of untrusted data.

Seeley told Threatpost, attacker can leverage this vulnerability to
execute code under the context of SYSTEM, giving them “full control of
the target machine… basically the worst it gets.”

ϻг_ϻε@steventseeley

Since @zoho typically ignores researchers, I figured it was OK to
share a ManageEngine Desktop Central zero-day exploit with everyone.
UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!

Advisory: https://srcincite.io/advisories/src-2020-0011/ …
Exploit: https://srcincite.io/pocs/src-2020-0011.py.txt …

900
1:35 PM - Mar 5, 2020
Twitter Ads info and privacy

483 people are talking about this

According to Seeley, who also posted a PoC attack for the flaw on
Twitter, the vulnerability ranks 9.8 out of 10.0 on the CVSS scale,
making it critical in severity. Nate Warfield, a security researcher
with Microsoft, pointed to at least 2,300 Zoho systems potentially
exposed online.

Rick Holland, CISO and vice president of strategy at Digital Shadows,
said if an attacker can compromise a solution like ManageEngine, they
have an “open season” on a target company’s environment.

“An attacker has a myriad of options not limited to: accelerating
reconnaissance of the target environment, deploying their malware
including ransomware, or even remotely monitor users’ machines,”
Holland told Threatpost. “Given that this vulnerability enables
unauthenticated remote execution of code, it is even more vital that
companies deploy a patch as soon as it becomes available.
Internet-facing deployments of Desktop Central should be taken offline
immediately.”

Threatpost has reached out to Zoho via email and Twitter for further
comment; the company has not yet responded. However Zoho said on
Twitter, “we have identified the issue and are working on a patch with
top priority. We will update once it is done.”

ϻг_ϻε@steventseeley
 · Mar 5, 2020

Since @zoho typically ignores researchers, I figured it was OK to
share a ManageEngine Desktop Central zero-day exploit with everyone.
UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!

Advisory: https://srcincite.io/advisories/src-2020-0011/ …
Exploit: https://srcincite.io/pocs/src-2020-0011.py.txt …

Zoho✔@zoho

We have identified the issue and are working on a patch with top
priority. We will update once it is done. ^BG

9
1:17 AM - Mar 6, 2020
Twitter Ads info and privacy

See Zoho's other Tweets

Seeley told Threatpost that he didn’t contact Zoho before disclosing
the vulnerability due to negative previous experiences with the
company regarding vulnerability disclosure. “I have in the past for
other critical vulnerabilities and they ignored me,” he said.

This lack of responsible disclosure has drawn mixed opinions from
security experts.  Some, like Rui Lopes, engineering and technical
support director at Panda Security, told Threatpost that the incident
could leave vulnerable systems open to bad actors.

“There seems to be some breakdown of communication between independent
researchers and the solution vendors who offer centralized IT
management platforms, which inevitably leads to inefficient patching
protocols and the exposure of sensitive information that arms bad
actors with threat vectors that would be otherwise unknown.”

Tim Wade, technical director of the CTO Team at Vectra, told
Threatpost that the incident highlights the need for better
relationships between security researchers and organizations.

“Allegedly, Zoho’s reputation for ignoring security researchers who’ve
found exploitable bugs in their products factored into the decision
for a direct release,” he said. “While the merits of this decision may
be discussed fairly from multiple perspectives, at a minimum it
underscores the need for software organizations to foster better
relationships with the security community, and the seriousness of
failing to do so.”

Researchers previously found multiple critical flaws in 2018 in Zoho’s
ManageEngine software. In all, seven vulnerabilities were discovered,
each allowing an attacker to ultimately take control of host servers
running ManageEngine’s SaaS suite of applications. Also previously a
massive number of keylogger phishing campaigns were seen tied to the
Zoho online office suite software; in an analysis, a full 40 percent
spotted in October 2018 used a zoho.com or zoho.eu email address to
exfiltrate data from victim machines.

This article was updated Friday at 4:36 pm to reflect that Zoho has
released a patch; and on Monday at 4pm to reflect that the flaw is now
being actively exploited in the wild.


More information about the BreachExchange mailing list