DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine

Our reference DIVD-2023-00004
Case lead Max van der Horst
Researcher(s)
CVE(s)
Product Zoho ManageEngine OnPremise
Versions
  • Access Manager Plus: < 4307
  • Active Directory 360: < 4309
  • ADAudit Plus: < 7080
  • ADManager Plus: < 7161
  • ADSelfService Plus: < 6210
  • Analytics Plus: < 5140
  • Application Control Plus: < 10.1.2220.17
  • Asset Explorer: < 6982
  • Browser Security Plus: < 11.1.2238.5
  • Device Control Plus: < 10.1.2220.17
  • Endpoint Central: < 10.1.2228.10
  • Endpoint Central MSP: < 10.1.2228.10
  • Endpoint DLP: < 10.1.2137.5
  • Key Manager Plus: < 6400
  • OS Deployer: < 1.1.2243.0
  • PAM 360: < 5712
  • Password Manager Pro: < 12123
  • Patch Manager Plus: < 10.1.2220.17
  • Remote Access Plus: < 10.1.2228.10
  • Remote Monitoring and Management: < 10.1.40
  • ServiceDesk Plus: < 14003
  • ServiceDesk Plus MSP: < 13000
  • SupportCenter Plus: 11017 to 11025
  • Vulnerability Manager Plus: < 10.1.2220.17
Recommendation Update your ManageEngine instance to the next version. The patched version is the next version number for all vulnerable versions (e.g. 4307 > 4308).
Status Open
Last modified 24 Jan 2023 16:11

Summary

An unauthenticated Remote Command Execution vulnerability has been identified in Zoho ManageEngine. It is registered as CVE-2022-47966 and stems from an outdated Apache Santuario implementation. If SAML has been enabled to facilitate Single Sign-On (SSO), malicious actors can execute arbitrary code on ManageEngine instances by sending a malicious SAML response to the server.

What you can do

Update your ManageEngine instance to the next version after the mentioned vulnerable versions.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding ManageEngine instances with reachable SAMLResponseServlets and verifying their version.

Timeline

Date Description
20 Jan 2023 DIVD starts researching fingerprint.
22 Jan 2023 DIVD identifies vulnerable parties.
24 Nov 2023 DIVD sends first round of notifications.
gantt title DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine (still open) :2023-01-20, 2023-02-14 section Events DIVD starts researching fingerprint. : milestone, 2023-01-20, 0d DIVD identifies vulnerable parties. : milestone, 2023-01-22, 0d DIVD sends first round of notifications. : milestone, 2023-11-24, 0d

More information