A remote code execution vulnerability in Zoho's ManageEngine, a popular IT management solution for enterprises, is being exploited in the wild.
The US Cybersecurity & Infrastructure Security Agency (CISA) added the flaw to its catalog of known exploited vulnerabilities last week, highlighting an immediate threat for organisations that haven't yet patched their vulnerable deployments.
The vulnerability, tracked as CVE-2022-3540, was privately reported to Zoho in June by a security researcher identified as Vinicius and was fixed later that same month.
The researcher posted a more detailed write-up at the beginning of this month and, according to him, it's a Java deserialisation flaw inherited from an outdated version of Apache OFBiz, an open source enterprise resource planning system, where it was patched in 2020 (CVE-2020-9496). This means that the Zoho ManageEngine products were vulnerable for two years due a failure to update a third-party component.
Normally, Apache OFBiz exposes an XML-RPC endpoint at /webtools/control/xmlrpc, which can receive unauthenticated requests. Those requests can contain serialised arguments that are then deserialised and if the class path contains any dangerous classes, remote code execution can be achieved.
In the context of the OFBiz server, the attacker can run arbitrary system commands with the privileges of the servlet container running the server.
Several Zoho ManageEngine products contain this component and expose the XML-RPC endpoint at /xmlrpc. One of the affected products is Zoho Password Manager Pro (PMP), which runs with NT Authority/system permissions, so successful exploitation can give an attacker full control over the server and access to the internal network.
In addition to Zoho Password Manager Pro, the vulnerability was also found in ManageEngine Access Manager Plus, a web-based privileged session management solution for tracking remote connections, and ManageEngine PAM360, a privileged access management solution.
All the impacted products are used for authentication and access management, so compromising any of them can have serious implications for an organisation.
Zoho advises users to upgrade to Access Manager Plus version 4303 or later, Password Manager Pro version 12101 or later and PAM360 5510 or later. The company says it has fixed the flaw by completely removing the vulnerable component from PAM360 and Access Manager Plus and removing the vulnerable XML-RPC parser from Password Manager Pro.
How to check for the ManageEngine vulnerability
Its security advisory includes steps for determining if a deployment has been targeted and potentially compromised:
- Navigate to <PMP/PAM360/AMP_Installation_Directory>/logs.
- Open the access_log_<Date>.txt file.
- Search for the keyword /xmlrpc POST in the text file. If this keyword is not found, your environment is not affected. If it is present, then proceed to the next step.
- Search for the following line in the logs files. If it is present, then your installation is compromised:
[/xmlrpc-<RandomNumbers>_###_https-jsse-nio2-<YourInstallationPort>-exec-<RandomNumber>] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetException
If an installation has been compromised, isolate the affected machine immediately and initiate an incident response investigation. Zoho asks users to send them a copy of all the application logs if a compromise has been detected.