Critical flaw in ManageEngine Desktop Central MSP tool exploited in the wild

Hackers are exploiting a critical authentication bypass vulnerability in ManageEngine Desktop Central MSP, an endpoint management tool used by managed service providers (MSPs). Attacks started before ManageEngine issued a patch, so all customers are advised to check their systems for signs of exploitation using a special tool released by the developers.

ManageEngine is a division of business software developer Zoho that’s focused on IT management software. The division maintains a portfolio of over 90 products and free tools that are used by millions of system administrators in more than 180,000 companies around the world. News of this latest zero-day vulnerability comes after hackers exploited at least two other flaws in ManageEngine products this year. Attacks against MSPs and their tools have seen a rise over the past several years due to hackers realizing that compromising such organizations can provide an easy way into the networks of thousands of businesses that rely on them to manage their IT assets.

Multiple authentication bypasses

The vulnerability in ManageEngine Desktop Central MSP is tracked as CVE-2021-44515 and was patched on December 3, 2021. It allows attackers to bypass authentication and execute arbitrary code in the Desktop Central MSP server.

The company released builds 10.1.2127.18 and 10.1.2137.3 for the enterprise and MSP versions of the product. In addition, a tool has been released that can scan existing deployments for signs of the known exploit. If a compromised installation is detected, the company advises a series of steps that include:

• Disconnect the affected machine from the network.
• Make a backup of the Desktop Central MSP configuration and critical business data.
• Format the compromised machine.
• Deploy the same software build, preferably on a new machine.
• Restore the backup.
• Upgrade the installation to the latest patched version.

In addition, the company highly recommends resetting the password for all services, accounts and Active Directory (AD) systems that have been accessed from the compromised machine. Resetting the AD admin password is also advisable.

On December 3, Zoho also patched a separate authentication bypass flaw in another ManageEngine product called ServiceDesk Plus that’s used for IT help desk and asset management. Tracked as CVE-2021-44526, this flaw impacts the on-premises deployments of the product up to version 12002.

“This vulnerability can allow an adversary to bypass authentication and access Templates’ field and form rules, Technician Auto Assign settings, the Asset Field’s Allowed Values, Translation and Change SLA configurations, the Assets associated to a user, and role details from Change Templates, as well as reorder the Service Catalog,” the company explained.

Users are advised to upgrade to builds 11149, 11212 or 11311 or 12003, depending on the ServiceDesk Plus version they’re currently using. It’s also important to note that Professional and Enterprise ServiceDesk Plus deployments that use the Desktop Central agent for asset discovery are also impacted by the previously mentioned CVE-2021-44515 vulnerability.

Past attacks have used IT management tools for MSPs

On December 2, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) together with the FBI issued an advisory about active attacks targeting an older ManageEngine ServiceDesk Plus vulnerability that was patched in September. Tracked as CVE-2021-44077, that flaw allows for unauthenticated remote code execution on affected systems.

“The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability,” the agencies said. “Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

In September, CISA, the FBI and the United States Coast Guard Cyber Command (CGCYBER) issued a similar advisory to warn about attacks, also by APT actors, exploiting an authentication bypass vulnerability in a ManageEngine single sign-on solution called ADSelfService Plus.

It’s clear that attackers are showing an interest in ManageEngine products, but the company’s tools are not the only IT management applications that have been targeted.

In July, hackers exploited a vulnerability in a remote management tool called Kaseya VSA that’s used by many MSPs. The incident led to the compromise of hundreds of businesses worldwide and their infection with the REvil ransomware. In 2019, ransomware groups exploited an old vulnerability in the ConnectWise ManagedITSync integration, a utility designed to sync data between the ConnectWise Manage PSA and the Kaseya VSA RMM, to compromise MSPs.