Impacting at least two dozen on-premise ManageEngine products, the exploitation of a critical ManageEngine vulnerability has been observed in the form of a pre-authentication remote code execution (RCE) flaw dubbed CVE-2022-47966. By sending a specially crafted SAML response, an attacker is able to exploit this vulnerability targeting organizations with SAML SSO enabled.
Here’s what you need to know.
What is the CVE-2022-47966 vulnerability?
CVE-2022-47966, an unauthenticated RCE vulnerability, affects Zoho ManageEngine products including ServiceDesk Plus, Password Manager Pro and ADSelfService Plus – all of which have seen exploits in the wild during the past year.
The vulnerability is a pre-authentication remote code execution and is exploitable depending on the specific ManageEngine product, and whether or not its SAML single-sign-on is enabled, or has been enabled sometime in the past. This happens due to the use of Apache xmlsec (aka XML Security for Java) 1.4.1. In this version, the xmlsec XSLT features make the application responsible for certain security protections by design, but the ManageEngine applications do not necessarily provide these types of protections.
If exposed to the internet, a vulnerability such as this carries critical risk to organizations worldwide, allowing attackers to gain initial access and possibly also the ability to perform lateral movement (while using highly privileged credentials).
Extremely popular amongst organizations and attackers, the exploitation of the vulnerability arises on the base of a vulnerable third-party dependency on Apache Santuario.
Vulnerable to remote code execution (as of back to 2008), Apache Santuario consists of an outdated dependency assigned to it. If a target’s system has an SAML-based SSO, successful exploitation of ManageEngine products could be possible. In some cases, the system will only be vulnerable if SAML-based SSO is currently active.
Does it affect me?
Some of ManageEngine’s products are widely used across enterprises and perform several important business functions such as authorization, authentication, and identity management.
Different versions of ManageEngine products use different versions of Santuario and/or Xalan.
Apache Santuario (also known as xmlsec), performs XSLT transformations prior to validating the message’s signature, which can lead to the execution of arbitrary Java code. Although fixed in 2008, Zoho’s software was still using a vulnerable dependency.
Since the signature verification is only performed after the signature is verified, a malicious XMLSignature could contain a SignedInfo field with XSLT transformations that when applied perform the execution of arbitrary Java code. Even though the signature check fails, it does not prevent the transformations from happening.
Has CVE-2022-47966 been actively exploited in the wild?
On October 25, 2022, zSecurity’s Khoa Dinh reported a few security vulnerabilities in Zoho’s ManageEngine products, related to the usage of outdated libraries (xmlsec or Apache Santuario). Days later, Zoho began introducing patches to their products to include the updated libraries. However, they did not post a public advisory until a few months later in January 2023.
As of January 19, multiple instances of exploitation have been confirmed in the wild within customer environments. Also on that same date, the Horizon3 Security firm published a proof of concept (PoC) including technical details.
A threat actor will most likely be able to modify a POC exploit code through manual or automated scanning and exploitation attempts in order to gain initial access to victims’ environments.
Requests attempting to exploit this vulnerability peaked on January 20, right after public exploit code and deep dives were released. Collectively, we’ve seen almost 2,000 attack attempts this month, targeting almost 1,000 distinct sites, mostly based in the US and the Netherlands.
In their research, The Rapid7 research team discovered that some products might be more exploitable than others: For instance, ServiceDesk Plus is known to be easily exploitable with the public PoC code. ADSelfService Plus, on the other hand, requires an attacker to obtain two additional pieces of information and modify the PoC for successful exploitation.
Fixing CVE-2022-47966
Organizations using any of the affected products listed in ManageEngine’s advisory must update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun.
Zoho has released patches for affected products and various fixed version releases per each product.
Fixing this vulnerability has been found crucial due to the releasing of patches a few months prior to the advisory (which is considered very unusual), and could potentially grant attackers a wider window of action while leaving victims unaware of the critical nature of these patches.
You can find A full technical analysis of CVE-2022-47966 in AttackerKB.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Cyber risk in 2022- a 360° view report
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- Threat intelligence frameworks in 2022
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
