CVE-2020-10189: Deserialization Vulnerability in Zoho ManageEngine Desktop Central 10 Patched (SRC-2020-0011)
Zoho releases a patch for a critical remote code execution flaw in ManageEngine one day after the vulnerability was publicly disclosed.
Update 03/09/2020: Updated the Analysis section to include information on reports of active exploitation of this vulnerability.
背景說明
On March 5, Steven Seeley, an information security specialist at Source Incite, published an advisory for a vulnerability in Zoho ManageEngine Desktop Central. Desktop Central is a centralized management solution for a variety of devices – from personal computers (e.g., desktops, laptops) to mobile devices (e.g., smartphones, tablets). The vulnerability affects Desktop Central build 10.0.473 and below.
分析
CVE-2020-10189 is an untrusted deserialization vulnerability in Zoho ManageEngine Desktop Central. The vulnerability stems from an improper input validation in the FileStorage class. According to Seeley, an unauthenticated, remote attacker can abuse the lack of validation in the FileStorage class to upload a malicious file containing a serialized payload onto the vulnerable Desktop Central host. To trigger the untrusted deserialization, an attacker would then need to make a subsequent request for the file uploaded onto the vulnerable host. This would then grant the attacker arbitrary code execution with SYSTEM/root privileges. For more detail, please refer to the proof-of-concept section, which contains Seeley’s detailed breakdown of the vulnerability.
https://t.co/cCOrj1t6bo - "only" 2300+ of these online.....
— Nate Warfield (@n0x08) March 5, 2020
According to a Shodan search by Nate Warfield, senior security program manager at Microsoft, there are over 2,300 publicly accessible Desktop Central instances.
On March 9, we became aware of reports this vulnerability is now being actively exploited in the wild, including a list of indicators of compromise.
Active exploitation of Zoho ManageEngine (CVE-2020-10189 ) now seen in the wild - https://t.co/LeY8OnAvdR - Some additional IOCs @ https://t.co/IN1ubCXRvp
— chris doman (@chrisdoman) March 9, 2020
概念驗證
Along with his advisory, Seeley published a proof-of-concept (PoC) for the vulnerability, which he shared in a tweet.
解決方法
Zoho released a patch on March 6 to address this vulnerability in Desktop Central build 10.0.479. Users are strongly encouraged to patch as soon as possible by visiting ManageEngine’s service pack release page. The page also includes a link to download build 10.0.479.
找出受影響的系統
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
取得更多資訊
- SRC-2020-0011: Source Incite Advisory for CVE-2020-10189
- SRC-2020-0011: Source Incite Proof-of-Concept for CVE-2020-10189
加入 Tenable Community 的 Tenable 安全回應團隊。
深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。
索取 Tenable.io Vulnerability Management 的 30 天免費試用。
相關文章
The Role of Open Source in Cloud Security: A Case Study with Terrascan by Tenable
May 11, 2023Open source software and cloud-native infrastructure are inextricably linked and can play a key role in helping to manage security. Open source security tools like Terrascan by Tenable are easy to scale, cost-effective and benefit from an agile community of contributors. Let’s take a look at how you can implement it today.
Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
May 9, 2023Microsoft addresses 38 CVEs including three zero-day vulnerabilities, two of which were exploited in the wild.
Tenable Security Center Integration into Tenable One Delivers Full Exposure Management for On-Prem Customers
May 9, 2023With the integration of Tenable Security Center into Tenable One, Tenable becomes the only vendor to offer exposure management for both on-premises and hybrid deployment models. Here’s what you need to know.
Tenable Cyber Watch: OpenAI CEO Testifies Before Congress; Meet DarkBERT, New AI Trained on the Dark Web; and more
May 29, 2023This week’s edition of the Tenable Cyber Watch unpacks Sam Altman’s testimony before Congress on AI risks and regulations, and addresses the importance of cyberattack victims speaking up after an attack. Also covered: An introduction to DarkBERT, the only AI trained on the Dark Web.
Cybersecurity Snapshot: How Enterprise Cyber Leaders Can Tame the ChatGPT Beast
May 26, 2023Check out a guide written for CISOs by CISOs on how to manage the risks of using generative AI in your organization. Plus, the White House unveils an updated national AI strategy. Also, a warning about a China-backed attacker targeting U.S. critical infrastructure. And much more!
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
May 25, 2023Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor Several international cybersecurity authorities from the United States, Unit...
- 弱點管理