Recently, researchers discovered a serious remote code execution (RCE) vulnerability (CVE-2018-7890) in ManageEngine Applications Manager. Vulnerabilities originate from the publicly accessible testCredential.do endpoint, which can result in remote code execution when validating user-supplied credentials. At present, no official version has been released to fix this vulnerability.
Reference links:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7890
https://www.securityfocus.com/bid/103358
https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/
What is ManageEngine Applications Manager?
ManageEngine Applications Manager provides a solution for monitoring and managing J2EE infrastructure and J2EE applications. It can monitor different parts of the Web servers, databases, application servers and the system where these components are deployed. It provides open standards, like SNMP and JMX, to ensure investment and also facilitate integration. Its management functions cover the most important aspects of management solutions, namely monitoring the underlying structure of the application server, as well as the malfunction and performance of the applications deployed in it. It can also be used to manage custom applications and other servers, including Oracle database servers, email servers, file servers, search engines, and authentication servers.
As Zoho says, ManageEngine® Applications Manager helps users monitor Windows servers, Microsoft .NET, Microsoft SQL server databases, Microsoft IIS Web servers, and Microsoft Exchange servers. A large number of reports, charts, alarms, thresholds, and integrated malfunction management are preset to help administrators ensure that applications are always running at optimal performance.
Vulnerability Description
The testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls several internal classes and executes PowerShell script. If the given system is OfficeSharePointServer, the username and password sent to the script will be invalid and result in RCE by command injection.
Applications Manager is not easy to be exploited directly as it is mostly used in the intranet environment. However, the vulnerability has a fixed request address that can help attackers infiltrate into the internal network of the enterprise and further scan and control vulnerable servers.
Affected Version
- ManageEngine Applications Manager 13.5
Recommended Solutions
Researches have published the exploit scripts. With infiltration tools such as metasploit, large-scale attacks are coming up. Enterprises with ManageEngine Applications Manager are strongly recommended to take more efforts on monitoring. In addition, checking logs (/jsonfeed.do,/testCredential.do, for example) to clear abnormal fixed requests will be helpful to locate attacks.
Users using the affected version also are recommended to pay close attention to updates from ManageEngine for remediation as soon as possible.
Reference link:
https://www.manageengine.com/products/applications_manager/download.html