Catering to over 180,000 companies around the globe, ManageEngine’s critical vulnerabilities had the potential to affect three out of five Fortune 500 companies.
First brought to light by cybersecurity research firm Digital Defense, six previously unknown vulnerabilities were found to be affecting three ManageEngine products: Logs360, EventLog Analyzer and Applications Manager.
A division of Zoho Corporation, ManageEngine offers 90+ tools that helps manage pretty much every aspect of IT operations – from managing networks, to applications and security.
Among the vulnerabilities, Digital Defense listed unauthenticated file upload, unauthenticated blind SQL injection, unauthenticated XML external entity injection, and user enumerations via servlet and ConfServlet.
The unauthenticated file upload via servlets could impact in a remote code execution while running on Windows and lead to a full host compromise. The research firm disclosed that the file CmClientUtilServlet could be accessed without authentication, and that the method doesn’t check if the “TYPE” request parameter contained a directory traversal sequence before using it in the path before creating a new file.
Digital Defense also revealed that a blind SQL injection could be leveraged to fully compromise the ManageEngine application and the host running the application.
What ManageEngine has to say
We apologise for the inconvenience caused to customers. The issues have been fixed with Applications Manager version13620, EventLog Analyzer version11120 & Log360 version5044 . For details please visit: https://t.co/VjKSFkc0A0 , https://t.co/QMnfwRoqSE , https://t.co/Qhfpj4j2cQ.
— ManageEngine (@manageengine) March 26, 2018
In a statement to CSO Online, ManageEngine stated that security is a top priority for the company. “When these vulnerabilities were discovered, we immediately worked to release security patches to mitigate the risk of any potential attack. ManageEngine customers have been notified of the potential threat and how to eliminate any related exposure,” stated the company.
Although the company did not answer the question about how these vulnerabilities escaped detection internally, it clarified the vulnerabilities were seen in certain on-premises ManageEngine applications, and not on ManageEngine cloud applications or Zoho cloud business applications.
ManageEngine released the EventLog analyzer 11.12, and fixed the cross site scripting (XSS) error and remote code execution in the search and reports page.