The ManageEngine vulnerability is easy to exploit and enables remote code execution. Patches are available. Credit: Suebsiri / Getty Images Users of on-premises deployments of Zoho ManageEngine products should make sure they have patches applied for a critical remote code execution vulnerability that attackers have now started exploiting in the wild. Technical details about the flaw along with a proof-of-concept exploit was released late last week, which will allow more attackers to add this exploit to their arsenal.“The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet,” researchers with penetration testing firm Horizon3.ai said in a blog post. “This vulnerability allows for remote code execution as NT AUTHORITYSYSTEM, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”Zoho released security updates during October and November for multiple products to address the flaw, which is now tracked as CVE-2022-47966. However, the security advisory was only published this month and as of last week there were over 1,000 vulnerable instances of ManageEngine products directly exposed to the internet and probably many more inside large corporate networks. SAML ShowStopper vulnerabilityThe vulnerability was found by a researcher named Khoadha, a.k.a. @_l0gg, from Vietnamese firm Viettel Cyber Security and was reported privately to Zoho through its bug bounty program in late October. When ManageEngine issued its advisory on January 10, researchers from Horizon3.ai investigated it and reverse-engineered the patch to create a working proof-of-concept exploit. After giving the community a heads-up that the flaw is very serious and easy to exploit and sharing some IOCs that could enable exploit detection, they waited several days before publishing their findings. Khoadha came out with a detailed write-up at the same time. The issue is located in old versions of a library called libxmlsec from the Apache Santuario open-source project. The version of the library used in ManageEngine products was over a decade old. Newer versions are not affected because of security enhancements added over time, though Khoadha’s findings are new.Apache Santuario implements security standards for XML, primarily XML-Signature Syntax and Processing and XML Encryption Syntax and Processing. These are commonly used in Security Assertion Markup Language (SAML), a protocol that’s popular in single sign-on (SSO) implementations to communicate between identity providers and service providers. Enterprises use SAML to enable employees to use the same identity across different applications and services. Zoho ManageEngine provides a suite of products for enterprises, many of which support SAML-based SSO. Some of the products are affected if they currently have SAML SSO enabled, while some are affected if they ever had it enabled in the past, even if they don’t anymore. The affected products are:Access Manager PlusActive Directory 360ADAudit PlusADManager PlusADSelfService PlusAnalytics PlusApplication Control PlusAsset ExplorerBrowser Security PlusDevice Control PlusEndpoint CentralEndpoint Central MSPEndpoint DLPKey Manager PlusOS DeployerPAM 360Password Manager ProPatch Manager PlusRemote Access PlusRemote Monitoring and Management (RMM)ServiceDesk PlusServiceDesk Plus MSPSupportCenter PlusVulnerability Manager Plus“In summary, when Apache Santuario is Even though the research was done on ManageEngine products, Khoadha warns in his own write-up that the flaw is not limited to them and products from other companies that use any of the impacted versions of libxmlsec for SAML could be similarly impacted. That’s why he has dubbed the flaw as SAML ShowStopper.Attackers are already exploiting the ManageEngine flawResearchers from security firm Rapid7 reported on January 19 that they already responded to compromises that resulted from exploitation of CVE-2022-47966. The company later updated their advisory with indicators of compromise that they were seeing in the wild as well as MITRE ATT&CK techniques the attackers were using post exploitation. This includes using PowerShell to disable Windows Defender and deploying a tunneling tool writer in Golang and called Chisel.“Our vulnerability research team found during testing that some products may be more exploitable than others: ServiceDesk Plus, for instance, is easily exploitable with public proof-of-concept code, but ADSelfService Plus requires an attacker to obtain two additional pieces of information and modify the PoC for successful exploitation,” the Rapid7 researchers said.Security firm GreyNoise is also detecting exploitation attempts on its honeypots. Vulnerabilities that can be exploited for remote code execution without authentication and have a public proof-of-concept are usually quickly adopted by attackers so it is likely the number of attacks will only increase. Organizations that don’t directly expose any of these ManageEngine products to the internet should still apply the patches as soon as possible, because attackers can obtain network access in a variety of ways and this flaw can then be exploited for lateral movement. Many ManageEngine products are used for security, identity management and authentication so they contain sensitive information. Related content news Australian federal budget outlines investment in cybersecurity The Australian government announced its 2024-25 federal budget and CSO has selected highlights that indicate how much will go towards cybersecurity and in what areas. By Samira Sarraf May 14, 2024 5 mins Fraud Protection and Detection Software Data and Information Security brandpost Sponsored by Microsoft Security New threat trends emerge out of East Asia With total vigilance concerning the latest East Asian developments in the threat landscape, security leaders can enhance their readiness to safeguard against the most imminent dangers. By Microsoft Security May 14, 2024 5 mins Security news Equipped with AI tools, hackers make apps riskier than ever The odds of attacks are growing as attackers can now easily access code modification and reverse engineering tools. By Shweta Sharma May 14, 2024 4 mins Application Security feature Low-tech tactics still top the IT security risk chart USB-based attacks, QR codes for phishing and social engineering continue to be some of the most effective, now more dangerous with the help of AI. By Rosalyn Page May 14, 2024 9 mins Cyberattacks Social Engineering Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe