DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine
Our reference | DIVD-2023-00004 |
Case lead | Max van der Horst |
Researcher(s) | |
CVE(s) | |
Product | Zoho ManageEngine OnPremise |
Versions |
|
Recommendation | Update your ManageEngine instance to the next version. The patched version is the next version number for all vulnerable versions (e.g. 4307 > 4308). |
Status | Open |
Last modified | 24 Jan 2023 16:11 |
Summary
An unauthenticated Remote Command Execution vulnerability has been identified in Zoho ManageEngine. It is registered as CVE-2022-47966 and stems from an outdated Apache Santuario implementation. If SAML has been enabled to facilitate Single Sign-On (SSO), malicious actors can execute arbitrary code on ManageEngine instances by sending a malicious SAML response to the server.
What you can do
Update your ManageEngine instance to the next version after the mentioned vulnerable versions.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding ManageEngine instances with reachable SAMLResponseServlets and verifying their version.
Timeline
Date | Description |
---|---|
20 Jan 2023 | DIVD starts researching fingerprint. |
22 Jan 2023 | DIVD identifies vulnerable parties. |
24 Nov 2023 | DIVD sends first round of notifications. |
gantt
title DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine (still open) :2023-01-20, 2023-02-14
section Events
DIVD starts researching fingerprint. : milestone, 2023-01-20, 0d
DIVD identifies vulnerable parties. : milestone, 2023-01-22, 0d
DIVD sends first round of notifications. : milestone, 2023-11-24, 0d