DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine

Our reference DIVD-2023-00004
Case lead Max van der Horst
Researcher(s)
CVE(s)
Product Zoho ManageEngine OnPremise
Versions
  • Access Manager Plus: < 4307
  • Active Directory 360: < 4309
  • ADAudit Plus: < 7080
  • ADManager Plus: < 7161
  • ADSelfService Plus: < 6210
  • Analytics Plus: < 5140
  • Application Control Plus: < 10.1.2220.17
  • Asset Explorer: < 6982
  • Browser Security Plus: < 11.1.2238.5
  • Device Control Plus: < 10.1.2220.17
  • Endpoint Central: < 10.1.2228.10
  • Endpoint Central MSP: < 10.1.2228.10
  • Endpoint DLP: < 10.1.2137.5
  • Key Manager Plus: < 6400
  • OS Deployer: < 1.1.2243.0
  • PAM 360: < 5712
  • Password Manager Pro: < 12123
  • Patch Manager Plus: < 10.1.2220.17
  • Remote Access Plus: < 10.1.2228.10
  • Remote Monitoring and Management: < 10.1.40
  • ServiceDesk Plus: < 14003
  • ServiceDesk Plus MSP: < 13000
  • SupportCenter Plus: 11017 to 11025
  • Vulnerability Manager Plus: < 10.1.2220.17
Recommendation Update your ManageEngine instance to the next version. The patched version is the next version number for all vulnerable versions (e.g. 4307 > 4308).
Status Closed
Last modified 21 Apr 2023 15:12 CEST

Summary

An unauthenticated Remote Command Execution vulnerability has been identified in Zoho ManageEngine. It is registered as CVE-2022-47966 and stems from an outdated Apache Santuario implementation. If SAML has been enabled to facilitate Single Sign-On (SSO), malicious actors can execute arbitrary code on ManageEngine instances by sending a malicious SAML response to the server.

What you can do

Update your ManageEngine instance to the next version after the mentioned vulnerable versions.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding ManageEngine instances with reachable SAMLResponseServlets and verifying their version.

Timeline

Date Description
20 Jan 2023 DIVD starts researching fingerprint.
22 Jan 2023 DIVD identifies vulnerable parties.
24 Jan 2023 DIVD sends first round of notifications.
14 Feb 2023 DIVD conducts second scan and prepares second notification round.
25 Feb 2023 DIVD sends second round of notifications.
16 Apr 2023 DIVD conducted final scan.
17 Apr 2023 Case closed.
gantt title DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine (87 days) :2023-01-20, 2023-04-17 section Events DIVD starts researching fingerprint. : milestone, 2023-01-20, 0d DIVD identifies vulnerable parties. : milestone, 2023-01-22, 0d DIVD sends first round of notifications. : milestone, 2023-01-24, 0d DIVD conducts second scan and prepares second notification round. : milestone, 2023-02-14, 0d DIVD sends second round of notifications. : milestone, 2023-02-25, 0d DIVD conducted final scan. : milestone, 2023-04-16, 0d Case closed. : milestone, 2023-04-17, 0d

More information